当前位置：网站首页>RouterOS 有限dns劫持及check

RouterOS 有限dns劫持及check

2022-07-28 21:34:00 【51CTO】

场景：

内部搭建了内网用的dns，开发会有一些内部使用的域名来解析一般都是 inner*.domain.com,需求是先在内网进行解析，没有再出外网正常解析。

设计描述：

由于需要此功能的域名是有限的，最小影响原则只对 *.domain.com 进行dns劫持；

配置:

step1：layer7 dns识别配置

可以用正则匹配更多的域名比如 .domain.com|.domain2.com

       
       /ip firewall layer7-protocol add name=inner_dns regexp=.domain.com
      
1.

step2:开启routeros的dns功能

内网dns server= 192.168.23.56

       
       /ip dns set allow-remote-requests=yes query-server-timeout=5s servers=192.168.23.56
      
1.

step3: 添加dns劫持,将step1识别出来的请求转发到routeros的53端口上

条件 layer7=inner_dns&&udp&&dstPort=53&&not innerdns

简单来说就行了。。。。。。。

锦上添花：

检查内网dns，无法解析了就关闭劫持，恢复了就开启劫持，需要内网dns有个不会失效的A记录

step1：script脚本--根据dns是是否能解析进行开启关闭

cDomain 域名

cDomainOk 正确的解析记录

dnsServer 内网dns服务器地址

       
       /
       
       system 
       
       script
       
       add 
       
       dont
       
       -
       
       require
       
       -
       
       permissions
       
       =
       
       no 
       
       name
       
       =
       
       check_hack_dns 
       
       owner
       
       =
       
       admin 
       
       policy
       
       =
       
       \
       
       ftp,
       
       reboot,
       
       read,
       
       write,
       
       policy,
       
       test,
       
       password,
       
       sniff,
       
       sensitive,
       
       romon 
       
       source
       
       =
       
       ":local cD\
       
       omain f.chuangcache.com\r\
       
       \n:local cDomainOk 192.168.11.53\r\
       
       \n:local dnsServer 192.168.23.56\r\
       
       \n:local isDisabled null\r\
       
       \n:local dnsCheck null\r\
       
       \n\r\
       
       \n:do { :set isDisabled [/ip firewall nat get [find comment=\"hack dns\"] disabled\
       
       ] } on-error={set isDisabled \"error\";:log info \"firewall not found! \";:quit;};\
       
       \r\
       
       \n\r\
       
       \n:do { :set dnsCheck [:resolve server=\$dnsServer domain-name=\$cDomain ] } on-er\
       
       ror={set dnsCheck \"error\"};\r\
       
       \n\r\
       
       \n\r\
       
       \n\r\
       
       \n# turn on dns hack if check ok\r\
       
       \n:if (\$isDisabled=true and \$dnsCheck=\$cDomainOk ) do={ /ip firewall nat set \
       
       [find comment=\"hack dns\"] disabled=no; :log info \"hack dns is enabled\" }\r\
       
       \n\r\
       
       \n# turn off dns hack when check error\r\
       
       \n:if (\$isDisabled=false and \$dnsCheck=\"error\" ) do={ /ip firewall nat set [fi\
       
       nd comment=\"hack dns\"] disabled=yes; :log info \"hack dns is disabled , check= \
       
       \$dnsCheck\" ; }\r\
       
       \n\r\
       
       \n# \r\
       
       \n:if (\$isDisabled=true and \$dnsCheck=\"error\") do={:log info \"local dns serve\
       
       r down : \$dnsServer\"} "
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.

不好看来个整齐的：

       
       :
       
       local 
       
       cDomain 
       
       f.
       
       domain.
       
       com
       
:
       
       local 
       
       cDomainOk 
       
       192.168
       
       .11
       
       .53
       
:
       
       local 
       
       dnsServer 
       
       192.168
       
       .23
       
       .56
       
:
       
       local 
       
       isDisabled 
       
       null
       
:
       
       local 
       
       dnsCheck 
       
       null
       
:
       
       do { :
       
       set 
       
       isDisabled [
       
       /
       
       ip 
       
       firewall 
       
       nat 
       
       get [
       
       find 
       
       comment
       
       =
       
       "hack dns"] 
       
       disabled] } 
       
       on
       
       -
       
       error
       
       ={
       
       set 
       
       isDisabled 
       
       "error";:
       
       log 
       
       info 
       
       "firewall not found! ";:
       
       quit;};
       
:
       
       do { :
       
       set 
       
       dnsCheck [:
       
       resolve 
       
       server
       
       =
       
       $dnsServer 
       
       domain
       
       -
       
       name
       
       =
       
       $cDomain ] } 
       
       on
       
       -
       
       error
       
       ={
       
       set 
       
       dnsCheck 
       
       "error"};
       
       # 
       
       turn 
       
       on  
       
       dns 
       
       hack 
       
       if 
       
       check 
       
       ok
       
:
       
       if (
       
       $isDisabled
       
       =
       
       true 
       
       and 
       
       $dnsCheck
       
       =
       
       $cDomainOk )   
       
       do
       
       ={ 
       
       /
       
       ip 
       
       firewall 
       
       nat 
       
       set [
       
       find 
       
       comment
       
       =
       
       "hack dns"] 
       
       disabled
       
       =
       
       no;  :
       
       log 
       
       info 
       
       "hack dns is enabled" }
       
       # 
       
       turn 
       
       off 
       
       dns 
       
       hack 
       
       when 
       
       check 
       
       error
       
:
       
       if (
       
       $isDisabled
       
       =
       
       false 
       
       and 
       
       $dnsCheck
       
       =
       
       "error" ) 
       
       do
       
       ={ 
       
       /
       
       ip 
       
       firewall 
       
       nat 
       
       set [
       
       find 
       
       comment
       
       =
       
       "hack dns"] 
       
       disabled
       
       =
       
       yes; :
       
       log 
       
       info 
       
       "hack dns is disabled , check= $
       
       dnsCheck
       
       " ; }
       
       # 
       
:
       
       if (
       
       $isDisabled
       
       =
       
       true 
       
       and 
       
       $dnsCheck
       
       =
       
       "error") 
       
       do
       
       ={:
       
       log 
       
       info 
       
       "local dns server down : $
       
       dnsServer
       
       "} 
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

step2：添加定时任务 1分钟检查一次

on-event 就填script的name

       
       /
       
       system 
       
       scheduler
       
       add 
       
       interval
       
       =
       
       1
       
       m 
       
       name
       
       =
       
       "do local dns check" 
       
       on
       
       -
       
       event
       
       =
       
       check_hack_dns 
       
       policy
       
       =
       
       \
       
       ftp,
       
       reboot,
       
       read,
       
       write,
       
       policy,
       
       test,
       
       password,
       
       sniff,
       
       sensitive,
       
       romon 
       
       start
       
       -
       
       date
       
       =
       
       \
       
       jul
       
       /
       
       28
       
       /
       
       2022 
       
       start
       
       -
       
       time
       
       =
       
       20:
       
       44:
       
       28
      
1.
2.
3.
4.

end：

粗糙、细节没有弄凑合用吧

原网站

版权声明
本文为[51CTO]所创，转载请带上原文链接，感谢
https://blog.51cto.com/axe999/5523800

当前位置：网站首页>RouterOS 有限dns劫持及check

RouterOS 有限dns劫持及check

边栏推荐

猜你喜欢

随机推荐