انتقال تمام درخواست های DNS به سمت DNS روتر میکروتیک

3 2,076
Telegram_GEEKBOY

یکی از مشکلات مدیران شبکه مباحث مربوط به DNS ، اعم از وارد کردن DNS سرور اشتباه یا تغییر تنظیمات توسط کاربران است، از این رو در این مقاله به شما آموزش می دهیم که درخواست های کاربران را بدون توجه به تنظیمات DNS آنها، به DNS روتر میکروتیک ارسال کنید.

1- در مرحله اول برای 2 پروتکل tcp و udp یک dstnat می نویسیم.

آموزش انتقال تمام درخواست های DNS به سمت DNS روتر میکروتیک

آموزش انتقال تمام درخواست های DNS به سمت DNS روتر میکروتیک

همانطور که می دانید درخواستهای dns روی پورت 53 کار می کند با نوشتن این Dsnat کلیه درخواست های dns، به پورت 53 میکروتیک ارسال می شود (Redirect).

2- در مرحله بعد باید تنظیمات مربوط به مدیریت درخواست های dns میکروتیک را انجام دهیم.

آموزش انتقال تمام درخواست های DNS به سمت DNS روتر میکروتیک

در قسمت مشخص شده باید IP یک DNS سرور معتبر در شبکه را معرفی کنیم.

NAT (wiki.mikrotik)

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

There are two types of NAT:

source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.

Masquerade
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

Unfortunately this can lead to some issues when action=masquerade is used in setups with unstable connections/links that get routed over different link when primary is down. In such scenario following things can happen:

on disconnect, all related connection tracking entries are purged;
next packet from every purged (previously masqueraded) connection will come into firewall as connection-state=new, and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection;
primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.
You can workaround this by creating blackhole route as alternative to route that might disappear on disconnect).

When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.

 

منبع nooran
3 نظرات
  1. hooman می گوید

    udp 53 na tcp 53 doroste ?

    1. سعید می گوید

      سلام
      در اصل DNS روی هر دو میتونه فعالیت کنه برای همین شما باید هر دور بنویسید

  2. حسینی می گوید

    یه سوال
    اگه سرور dns مجزا داشته باشیم چه کار باید انجام بدیم؟ و نمی خواهیم این سرور از بیرون قابل دید باشه
    فقط برای شبکه ی داخلی کاربرد دارد

ارسال یک نظر

آدرس ایمیل شما منتشر نخواهد شد.

این سایت از اکیسمت برای کاهش هرزنامه استفاده می کند. بیاموزید که چگونه اطلاعات دیدگاه های شما پردازش می‌شوند.