场景:
内部搭建了内网用的dns,开发会有一些内部使用的域名来解析一般都是 inner*.domain.com,需求是先在内网进行解析,没有再出外网正常解析。
设计描述:
由于需要此功能的域名是有限的,最小影响原则只对 *.domain.com 进行dns劫持;
配置:
step1:layer7 dns识别配置
可以用正则匹配更多的域名 比如 .domain.com|.domain2.com
/ip firewall layer7-protocol add name=inner_dns regexp=.domain.com
step2:开启routeros的dns功能
内网dns server= 192.168.23.56
/ip dns set allow-remote-requests=yes query-server-timeout=5s servers=192.168.23.56
step3: 添加dns劫持,将step1识别出来的请求转发到routeros的53端口上
条件 layer7=inner_dns&&udp&&dstPort=53&¬ innerdns
/ip firewall nat
add action=redirect chain=dstnat comment="hack dns" dst-address-type=!local \
dst-port=53 layer7-protocol=inner_dns protocol=udp src-address=\
!192.168.23.56 src-address-type=!local to-ports=53
简单来说就行了。。。。。。。
锦上添花:
检查内网dns,无法解析了就关闭劫持,恢复了就开启劫持,需要内网dns有个不会失效的A记录
step1:script脚本--根据dns是是否能解析进行开启关闭
cDomain 域名
cDomainOk 正确的解析记录
dnsServer 内网dns服务器地址
/system script
add dont-require-permissions=no name=check_hack_dns owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local cD\
omain f.chuangcache.com\r\
\n:local cDomainOk 192.168.11.53\r\
\n:local dnsServer 192.168.23.56\r\
\n:local isDisabled null\r\
\n:local dnsCheck null\r\
\n\r\
\n:do { :set isDisabled [/ip firewall nat get [find comment=\"hack dns\"] disabled\
] } on-error={set isDisabled \"error\";:log info \"firewall not found! \";:quit;};\
\r\
\n\r\
\n:do { :set dnsCheck [:resolve server=\$dnsServer domain-name=\$cDomain ] } on-er\
ror={set dnsCheck \"error\"};\r\
\n\r\
\n\r\
\n\r\
\n# turn on dns hack if check ok\r\
\n:if (\$isDisabled=true and \$dnsCheck=\$cDomainOk ) do={ /ip firewall nat set \
[find comment=\"hack dns\"] disabled=no; :log info \"hack dns is enabled\" }\r\
\n\r\
\n# turn off dns hack when check error\r\
\n:if (\$isDisabled=false and \$dnsCheck=\"error\" ) do={ /ip firewall nat set [fi\
nd comment=\"hack dns\"] disabled=yes; :log info \"hack dns is disabled , check= \
\$dnsCheck\" ; }\r\
\n\r\
\n# \r\
\n:if (\$isDisabled=true and \$dnsCheck=\"error\") do={:log info \"local dns serve\
r down : \$dnsServer\"} "
不好看来个整齐的:
:local cDomain f.domain.com
:local cDomainOk 192.168.11.53
:local dnsServer 192.168.23.56
:local isDisabled null
:local dnsCheck null
:do { :set isDisabled [/ip firewall nat get [find comment="hack dns"] disabled] } on-error={set isDisabled "error";:log info "firewall not found! ";:quit;};
:do { :set dnsCheck [:resolve server=$dnsServer domain-name=$cDomain ] } on-error={set dnsCheck "error"};
# turn on dns hack if check ok
:if ($isDisabled=true and $dnsCheck=$cDomainOk ) do={ /ip firewall nat set [find comment="hack dns"] disabled=no; :log info "hack dns is enabled" }
# turn off dns hack when check error
:if ($isDisabled=false and $dnsCheck="error" ) do={ /ip firewall nat set [find comment="hack dns"] disabled=yes; :log info "hack dns is disabled , check= $dnsCheck" ; }
#
:if ($isDisabled=true and $dnsCheck="error") do={:log info "local dns server down : $dnsServer"}
step2:添加定时任务 1分钟检查一次
on-event 就填script的name
/system scheduler
add interval=1m name="do local dns check" on-event=check_hack_dns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
jul/28/2022 start-time=20:44:28
end:
粗糙、细节没有弄凑合用吧
