ProHoster > Ibhulogi > Ulawulo > I-Mikrotik i-split-dns: bayenzile

I-Mikrotik i-split-dns: bayenzile

Ngaphantsi kweminyaka eyi-10 idlulile ukususela ekubeni abaphuhlisi be-RoS (kwi-stable 6.47) eyongeziweyo yokusebenza evumela ukuba uqondise kwakhona izicelo ze-DNS ngokuhambelana nemithetho ekhethekileyo. Ukuba ngaphambili bekuyimfuneko ukubaleka imithetho ye-Layer-7 kwi-firewall, ngoku oku kwenziwa ngokulula nangobuchule:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Ulonwabo lwam alunamida!

Oku kusisongela ngantoni?

Ubuncinci, sisusa izinto ezingaqhelekanga ze-NAT zokwakha ngolu hlobo:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

Kwaye ayisiyiyo yonke loo nto, ngoku ungabhalisa iiseva ezininzi zokuthumela, eziya kukunceda wenze i-dns failover.
Ukusetyenzwa kwe-DNS ekrelekrele kuya kwenza kube lula ukwazisa ipv6 kwinethiwekhi yenkampani. Andizange ndiyenze le nto ngaphambili, isizathu yayikukuba kufuneka ndisombulule inani lamagama e-DNS kwiidilesi zendawo, kwaye kwi-ipv6 le nto ayinakwenziwa ngaphandle kweentonga ezinkulu.

umthombo: www.habr.com