DNS with FRITZ!Box fails for Telekom SIP

Started by crbble, March 29, 2022, 04:57:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 29, 2022, 04:57:47 PM Last Edit: March 29, 2022, 05:28:17 PM by crbble
/Edit: Sorry for the preliminary post. Apparently this is FRITZ!Box specific. There are two DNS server settings, one where the internet is configured and one where the ipv4 network is configured. Setting the ipv4 DNS Server to the OPNSense (default setting is the FRITZ!Box itself) solves the problem with different TTLs for the same DNS request.

Hi,

I am running OPNSense on a Sophos box:

Internet -> OPNSense -> FRITZ!Box -> Local Network

The DNS Configuration is:

- "Local Network" uses FRITZ!Box
- FRITZ!Box uses Unbound on OPNSense
- OPNSense uses Provider DNS

Currently most things work as expected, even ipv6 on the local network.  :)

The FRITZ!Box also acts as DECT gateway for SIP telephony. From time to time the SIP connection breaks with "403 Forbidden" and from my impression this is a DNS problem. When I query the FRITZ!Box and OPNSense (which both should use OPNSense as source) I get the following replies:

Code Select

$ dig _sip._udp.tel.t-online.de SRV @opnsense
[...]
;; ANSWER SECTION:
_sip._udp.tel.t-online.de. 2529 IN      SRV     20 0 5060 d-epp-110.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 2529 IN      SRV     30 0 5060 h2-epp-110.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 2529 IN      SRV     10 0 5060 k-epp-100.edns.t-ipnet.de.
[...]
$ dig _sip._udp.tel.t-online.de SRV @fritz.box
[...]
;; ANSWER SECTION:
_sip._udp.tel.t-online.de. 308  IN      SRV     20 0 5060 d-epp-110.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 308  IN      SRV     10 0 5060 h-epp-110.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 308  IN      SRV     30 0 5060 h2-epp-110.edns.t-ipnet.de.
[...]

The replies are different in this case.

Apparently (and from some information on the internet) Telekom is doing load balancing with DNS for their SIP telephony service. Any ideas why I end up with different replies although the FRITZ!Box should cascade the DNS request to the OPNSense box? Is this simply caching behavior on the FRITZ!Box? Can I change the DNS reply in unbound to modify the TTL that is given to the FRITZ!Box?

Thanks for hints,
Robert
Print
Go Up Pages1
User actions