I had the same problem, but found at least temporary solution. Copy&paste from my blog: I'm using mikrotik router at home, with RB150 constantly handling connection to provider (PPPoE) and to my office (VPN over internet). However since router is using provider's DNS, it is not possible to work with shared folders or perform any other domain tasks (while office IPs are readily accessible). Anything using active directory will fail, since any computer in home won't be able to resolve domain controllers. How to fix this: 1. Added layer7 matcher for x06 x5Fmsdcs x08mydomain x03com (you need to replace mydomain.com with your domain address). Each domain part preceded with x and number of characters in hex, x5F is _ symbol. Whenever computer tries to find active directory servers it requests for multiple DNS records all ending with _msdcs.yourdomain.com. /ip firewall layer7-protocol add comment=' name=activedirectory regexp= ' x06 x5Fmsdcs x06itsoft x02by' 2. Added mangle to mark dns request packets matching our layer7 rule and our dns server as destination /ip firewall mangle add action=mark-packet chain=prerouting comment=' disabled=no dst-address= 192.168.0.200 dst-port=53 layer7-protocol=activedirectory new-packet-mark=activedirectory passthrough=yes protocol=udp 3. Added dst-nat rule to route active directory specific requests to actual domain server /ip firewall nat add action=dst-nat chain=dstnat comment= 'forward active directory DNS requests' disabled=no dst-port=53 packet-mark=activedirectory protocol=udp to-addresses=10.10.0.201 to-ports=53 that's all. It works, at least in my particular configuration. ![]() May be there are easier solutions, but I wasn't able to find any. Nice to know, but that's not it. In fact, there are three different things here: 1) this last regular expression It will return an A record pointing at 10.1.2.3 for any A record query with hostname ending with '.somedomain' 2) clever hack above It will forward any query with hostname ending with '.somedomain' do different dns server. Then different domains can resolve correctly e.g. Mail.somedomain to 10.1.2.3, to 192.168.1.2, etc. As long as the given server controls all of them, including subdomains. 3) fully working implementation I'd tell RoS that domain '.somedomain' is controlled by dns server 10.1.2.3. Then client sends question for '. Gamecube controller adapter pc drivers. RoS asks 10.1.2.3 for it and 10.1.2.3 replies 'I don't know, whole subdomain.somedomain is controlled by 10.20.30.40'. Router which you can setup with static IP’s and Port forwarding; Setting up the DDNS and NS-record. You can use freedns.afraid.org for the dynamic DNS and the NS-record. So make an account and go to “subdomains”. You need to make 2 subdomains. RoS sends original query to 10.20.30.40 and gets reply that has ip address 192.168.44.11. There is no way how to do this in current RoS and the only solution is recursive resolver, not just forwarding as the current one. Just for closing this post: 1. Local domain.office.local (FQDN) 2. Local DNS Server 192.168.1.1 We need to resolve server1.office.local, work.office.local for remote users 1. Create l7 /ip firewall layer7-protocol add name=remote_office regexp=office.local|[0-9]+.[0-9]+.168.192.in-addr.arpa 2. Create 2 NAT rues /ip firewall nat add action=masquerade chain=srcnat disabled=no protocol=udp dst-port=53 /ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=53 layer7-protocol=remote_office protocol=udp to-addresses=192.168.1.1 to-ports=53 This info was taken from WIKI site of. Erm, do you really think this was worth digging up a thread after six years? And how exactly is this info supposed to close it? It's still the same old and ugly (even though it's pretty smart, no doubt about that part) L7 hack, which does bypass router's DNS cache, doesn't work with tcp, can't be used with IPv6, and it's just not admin-friendly at all.
And as a bonus, your regexp is wildly inaccurate, it matches office.local, but also notoffice.local, office-local.com. Your only excuse is that any exposure for this missing feature is a good thing.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |