RouterOS 有限dns劫持及check |
您所在的位置:网站首页 › ros dns分流 › RouterOS 有限dns劫持及check |
|
场景: 内部搭建了内网用的dns,开发会有一些内部使用的域名来解析一般都是 inner*.domain.com,需求是先在内网进行解析,没有再出外网正常解析。 设计描述: 由于需要此功能的域名是有限的,最小影响原则只对 *.domain.com 进行dns劫持; 配置: step1:layer7 dns识别配置 可以用正则匹配更多的域名 比如 .domain.com|.domain2.com /ip firewall layer7-protocol add name=inner_dns regexp=.domain.comstep2:开启routeros的dns功能 内网dns server= 192.168.23.56 /ip dns set allow-remote-requests=yes query-server-timeout=5s servers=192.168.23.56step3: 添加dns劫持,将step1识别出来的请求转发到routeros的53端口上 条件 layer7=inner_dns&&udp&&dstPort=53&¬ innerdns /ip firewall natadd action=redirect chain=dstnat comment="hack dns" dst-address-type=!local \ dst-port=53 layer7-protocol=inner_dns protocol=udp src-address=\ !192.168.23.56 src-address-type=!local to-ports=53简单来说就行了。。。。。。。 锦上添花: 检查内网dns,无法解析了就关闭劫持,恢复了就开启劫持,需要内网dns有个不会失效的A记录 step1:script脚本--根据dns是是否能解析进行开启关闭 cDomain 域名 cDomainOk 正确的解析记录 dnsServer 内网dns服务器地址 /system scriptadd dont-require-permissions=no name=check_hack_dns owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local cD\ omain f.chuangcache.com\r\ \n:local cDomainOk 192.168.11.53\r\ \n:local dnsServer 192.168.23.56\r\ \n:local isDisabled null\r\ \n:local dnsCheck null\r\ \n\r\ \n:do { :set isDisabled [/ip firewall nat get [find comment=\"hack dns\"] disabled\ ] } on-error={set isDisabled \"error\";:log info \"firewall not found! \";:quit;};\ \r\ \n\r\ \n:do { :set dnsCheck [:resolve server=\$dnsServer domain-name=\$cDomain ] } on-er\ ror={set dnsCheck \"error\"};\r\ \n\r\ \n\r\ \n\r\ \n# turn on dns hack if check ok\r\ \n:if (\$isDisabled=true and \$dnsCheck=\$cDomainOk ) do={ /ip firewall nat set \ [find comment=\"hack dns\"] disabled=no; :log info \"hack dns is enabled\" }\r\ \n\r\ \n# turn off dns hack when check error\r\ \n:if (\$isDisabled=false and \$dnsCheck=\"error\" ) do={ /ip firewall nat set [fi\ nd comment=\"hack dns\"] disabled=yes; :log info \"hack dns is disabled , check= \ \$dnsCheck\" ; }\r\ \n\r\ \n# \r\ \n:if (\$isDisabled=true and \$dnsCheck=\"error\") do={:log info \"local dns serve\ r down : \$dnsServer\"} "不好看来个整齐的: :local cDomain f.domain.com:local cDomainOk 192.168.11.53:local dnsServer 192.168.23.56:local isDisabled null:local dnsCheck null:do { :set isDisabled [/ip firewall nat get [find comment="hack dns"] disabled] } on-error={set isDisabled "error";:log info "firewall not found! ";:quit;}; :do { :set dnsCheck [:resolve server=$dnsServer domain-name=$cDomain ] } on-error={set dnsCheck "error"}; # turn on dns hack if check ok:if ($isDisabled=true and $dnsCheck=$cDomainOk ) do={ /ip firewall nat set [find comment="hack dns"] disabled=no; :log info "hack dns is enabled" } # turn off dns hack when check error:if ($isDisabled=false and $dnsCheck="error" ) do={ /ip firewall nat set [find comment="hack dns"] disabled=yes; :log info "hack dns is disabled , check= $dnsCheck" ; } # :if ($isDisabled=true and $dnsCheck="error") do={:log info "local dns server down : $dnsServer"} step2:添加定时任务 1分钟检查一次 on-event 就填script的name /system scheduleradd interval=1m name="do local dns check" on-event=check_hack_dns policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\ jul/28/2022 start-time=20:44:28end: 粗糙、细节没有弄凑合用吧 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |