SRV DNS records/lookup for VOIP, German Telekom

In order for my switch from VDSL to FTTH I'm going to change my ISP within the next two weeks.
With my old ISP (o2 germany) I had no issues to register my VOIP numbers via a second device (Fritzbox 7412) by adding the following two DNS forwardings in OpenWRT.

list server '/sip.alice-voip.de/ISP-DNS'
list server '/sip.alice-voip.de/ISP-DNS'

With my new ISP (Deutsche Telekom) DNS A requests for VOIP will not work anymore and SRV records need to be in place.

I've searched the internet but couldn't find a proper guide how to set it up via OpenWRT.
German Telekom has a guide for VOIP but this doesn't offer any details about SRV records:
https://www.telekom.de/hilfe/festnetz-internet-tv/telefonieren-einstellungen/ip-telefonie-mit-anderen-clients

root@OpenWRT:~# nslookup tel.t-online.de
;; connection timed out; no servers could be reached

Any ideas?

SRV records are normally handled by SIP provider DNS servers, I see no reason to make any manual configuration on OpenWrt.

Quick check:

nslookup -q=SRV _sip._udp.tel.t-online.de
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
_sip._udp.tel.t-online.de       service = 20 0 5060 d-epp-110.edns.t-ipnet.de.
_sip._udp.tel.t-online.de       service = 10 0 5060 dtm010-l01-mav-pc-rt-001.edns.t-ipnet.de.
_sip._udp.tel.t-online.de       service = 30 0 5060 h2-epp-110.edns.t-ipnet.de.

Authoritative answers can be found from:
1 Like

Thanks for your reply!
For some reason "nslookup -q=SRV" doesn't work with my OpenWRT Router.
Do you have to install a specific package for it?

root@Aurora:~# nslookup -q=SRV _sip._udp.tel.t-online.de
Invalid query type "SRV"

Works for me on OpenWrt as well. Try the same from your PC.

It does work with my Win 10 PC but with timeout:

nslookup -q=SRV _sip._udp.tel.t-online.de
Server:  OpenWRT.lan
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** ZeitĂĽberschreitung bei Anforderung an OpenWRT.lan.

Same with Pop-OS:

admin@pop-os:~$ nslookup -q=SRV _sip._udp.tel.t-online.de
;; connection timed out; no servers could be reached

Btw, I'm still running OpenWRT 19.07.10 with dnsmasq-full 2.80-16.3.
DHCP config:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	list server '/sip.alice-voip.de/ISP-DNS'
	list server '/sip.alice-voip.de/ISP-DNS'

Does your DNS server work at all? What is in your system log in regard to dnsmasq startup? Can you manually query the ISP assigned DNS server(s)?

My DNS server works fine, I'm using 1.1.1.1, same as you.
And I can also reach my current ISP DNS servers, otherwise my VOIP registration with my FritzBox wouldn't work.

dnsmasq restart log:

Mon Jun 26 14:56:26 2023 daemon.info dnsmasq[11873]: exiting on receipt of SIGTERM
Mon Jun 26 14:56:26 2023 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Mon Jun 26 14:56:26 2023 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: started, version 2.80 cachesize 150
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: DNS service limited to local subnets
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq-dhcp[16133]: DHCP, IP range 192.168.100.100 -- 192.168.100.249, lease time 12h
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq-dhcp[16133]: DHCP, IP range 192.168.55.100 -- 192.168.55.249, lease time 12h
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq-dhcp[16133]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain test
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain onion
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain localhost
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain local
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain invalid
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain bind
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain bit.ly
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain t.co
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain gvt2.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain gvt1.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain s.amazon-adsystem.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using nameserver 62.109.121.2#53 for domain sip.alice-voip.de
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using nameserver 62.109.121.1#53 for domain sip.alice-voip.de
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain lan
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: reading /tmp/resolv.conf.auto
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain test
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain onion
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain localhost
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain local
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain invalid
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain bind
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain bit.ly
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain t.co
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain gvt2.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain gvt1.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using standard nameservers for domain s.amazon-adsystem.com
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using nameserver 62.109.121.2#53 for domain sip.alice-voip.de
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using nameserver 62.109.121.1#53 for domain sip.alice-voip.de
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using local addresses only for domain lan
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: using nameserver 1.1.1.1#53
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: read /etc/hosts - 4 addresses
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq[16133]: read /tmp/hosts/dhcp.cfg01411c - 15 addresses
Mon Jun 26 14:56:36 2023 daemon.info dnsmasq-dhcp[16133]: read /etc/ethers - 0 addresses
root@OpenWRT:~# nslookup sip.alice-voip.de
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      sip.alice-voip.de
Address 1: 62.53.223.131
*** Can't find sip.alice-voip.de: No answer
root@OpenWRT:~# nslookup sip.alice-voip.de 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

*** Can't find sip.alice-voip.de: No answer
*** Can't find sip.alice-voip.de: No answer

My understanding is that sip.alice-voip.de is known to the ISP DNS only, so 1.1.1.1 cannot provide an answer. All looks good to me in this example.

1 Like

Your DNS server (OpenWrt) does not respond to some clients. Is this because they are on a different subnet?

Your are correct, that's why VOIP currently only works via DNS forwardings with the ISP DNS server. I only provided the example with 1.1.1.1 to make this clear but sip.alice-voip.de is from my old ISP where I'm not customer anymore in 2 weeks.

So my problem is that the DNS forwardings via ISP DNS method will not work anymore for VOIP with my new ISP (tel.t-online.de) as they don't support DNS A lookups for VOIP and only SRV records are supported.

What I don't understand is that you can succesfully lookup _sip._udp.tel.t-online.de but I don't. Are you a "Deutsche Telekom" customer? If not there must a config error on my end.

Your DNS server (OpenWrt) does not respond to some clients. Is this because they are on a different subnet?

I never had any issues with DNS in my network. Every client is working fine 24/7. So I guess my DNS settings are fine, at least for all of my clients.

I'm not a DT customer and run my test from cloud VPS first and then from my home router. For your new voice provider I do not see a need for any DNS forwarding.
Can you run from your PC:
nslookup -q=SRV _sip._udp.tel.t-online.de 1.1.1.1

nslookup -q=SRV _sip._udp.tel.t-online.de 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
*** Zeitberschreitung bei Anforderung an one.one.one.one.

I just tried the command with my neighbors connection and it works. My neighbor is already a customer of Deutsche Telekom.

nslookup -q=SRV _sip._udp.tel.t-online.de 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Nicht autorisierende Antwort:
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 20
          weight         = 0
          port           = 5060
          svr hostname   = h2-epp-110.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 30
          weight         = 0
          port           = 5060
          svr hostname   = d-epp-110.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 10
          weight         = 0
          port           = 5060
          svr hostname   = kln000-l01-mav-pc-rt-001.edns.t-ipnet.de

So it must be something with my OpenWRT config or my current ISP network. Very strange.
Any ideas?

With your previous test your OpenWrt DNS server was not involved, your client sent a request directly to Cloudflare DNS.
There is a possibility that your current provider intercepts your DNS traffic.
Please try
nslookup -p=5353 -q=SRV _sip._udp.tel.t-online.de 208.67.222.222

I think that I found one of the issues, my bad!
I still had the following custom firewall rules in place:

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-psx -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-psx -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i eth1.7 -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i eth1.7 -p tcp --dport 53 -j REDIRECT --to-port 53

After removing them, the following commands works fine but I still cannot use any SVR command with my OpenWRT router.

PC:

nslookup -q=SRV _sip._udp.tel.t-online.de 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Nicht autorisierende Antwort:
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 30
          weight         = 0
          port           = 5060
          svr hostname   = h2-epp-110.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 10
          weight         = 0
          port           = 5060
          svr hostname   = kln000-l01-mav-pc-rt-001.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 20
          weight         = 0
          port           = 5060
          svr hostname   = d-epp-110.edns.t-ipnet.de
nslookup -p=5353 -q=SRV _sip._udp.tel.t-online.de 208.67.222.222
*** Ungltige Option: p=5353.
Server:  dns.opendns.com
Address:  208.67.222.222

Nicht autorisierende Antwort:
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 10
          weight         = 0
          port           = 5060
          svr hostname   = hmb026-l01-mav-pc-rt-001.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 20
          weight         = 0
          port           = 5060
          svr hostname   = h2-epp-110.edns.t-ipnet.de
_sip._udp.tel.t-online.de       SRV service location:
          priority       = 30
          weight         = 0
          port           = 5060
          svr hostname   = d-epp-110.edns.t-ipnet.de

Not working on PC:

nslookup -q=SRV _sip._udp.tel.t-online.de
Server:  OpenWRT.lan
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** Zeitberschreitung bei Anforderung an OpenWRT.lan.

OpenWRT Router:

root@OpenWRT:~# nslookup -q=SRV _sip._udp.tel.t-online.de 1.1.1.1
Invalid query type "SRV"
root@OpenWRT:~# nslookup -p=5353 -q=SRV _sip._udp.tel.t-online.de 208.67.222.222
nslookup: invalid number '=5353'

And I'm still confused why my local DNS (192.168.1.1) cannot resolve because it should use 1.1.1.1 by default and I even put a Deutsche Telekom DNS server for testing...

Wan config:

config interface 'wan'
	option ifname 'eth1.7'
	option proto 'pppoe'
	option username '***'
	option ipv6 'auto'
	option peerdns '0'
	option password '***'
	option pppd_options 'debug'
	list dns '1.1.1.1'
	list dns '217.237.148.70'

nslookup -p=5353 -q=SRV _sip._udp.tel.t-online.de 208.67.222.222 should be run on a PC as busybox nslookup probably does not support a custom port.
But now your test shows that there is no interception on port 53, so there is no real need in testing with a custom port.
There is also a possibility that this is something specific to the old version of dnsmasq. Since you previously had no issues with forwarding, you can try to add something like /tel.t-online.de/8.8.8.8 and see if it makes any difference.
As alternative to nslookup on OpenWrt you can install dig tool.

With dns forwardings I get the following output on my Win10 machine:

nslookup _sip._udp.tel.t-online.de
Server:  Aurora.lan
Address:  192.168.1.1

*** Keine internal type for both IPv4 and IPv6 Addresses (A+AAAA)-Eintrge fr _sip._udp.tel.t-online.de verfgbar.
nslookup tel.t-online.de
Server:  Aurora.lan
Address:  192.168.1.1

*** Keine internal type for both IPv4 and IPv6 Addresses (A+AAAA)-Eintrge fr tel.t-online.de verfgbar.

dnsmasq config:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	list server '/sip.alice-voip.de/62.109.121.1'
	list server '/sip.alice-voip.de/62.109.121.2'
	list server '/tel.t-online.de/1.1.1.1'
	list server '/tel.t-online.de/8.8.8.8'

I've installed bind-dig 9.16.28-1 before but I have no idea how to proper use it.

root@OpenWRT:~# dig _sip._udp.tel.t-online.de

; <<>> DiG 9.16.28 <<>> _sip._udp.tel.t-online.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25284
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_sip._udp.tel.t-online.de.     IN      A

;; AUTHORITY SECTION:
_sip._udp.tel.t-online.de. 9918 IN      SOA     ns1.edns.t-ipnet.de. hostmaster.t-ipnet.net. 2018022700 43200 1800 1209600 21600

;; Query time: 49 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 26 22:05:17 CEST 2023
;; MSG SIZE  rcvd: 129
root@OpenWRT:~# dig tel.t-online.de

; <<>> DiG 9.16.28 <<>> tel.t-online.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51545
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tel.t-online.de.               IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 26 22:05:58 CEST 2023
;; MSG SIZE  rcvd: 44

All wrong :wink:
You need to specify a query type (SRV).
For dig the syntax is dig _sip._udp.tel.t-online.de SRV

1 Like

Thanks. :blush: Looks good imo!

root@OpenWRT:~# dig _sip._udp.tel.t-online.de SRV

; <<>> DiG 9.16.28 <<>> _sip._udp.tel.t-online.de SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29124
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_sip._udp.tel.t-online.de.     IN      SRV

;; ANSWER SECTION:
_sip._udp.tel.t-online.de. 1941 IN      SRV     30 0 5060 d-epp-100.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 1941 IN      SRV     20 0 5060 h2-epp-100.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 1941 IN      SRV     10 0 5060 ffm021-l01-mav-pc-rt-001.edns.t-ipnet.de.

;; Query time: 59 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 26 22:20:32 CEST 2023
;; MSG SIZE  rcvd: 205
root@OpenWRT:~# dig tel.t-online.de SRV

; <<>> DiG 9.16.28 <<>> tel.t-online.de SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47801
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;tel.t-online.de.               IN      SRV

;; AUTHORITY SECTION:
tel.t-online.de.        10415   IN      SOA     ns1.edns.t-ipnet.de. hostmaster.t-ipnet.net. 2018022700 43200 1800 1209600 21600

;; Query time: 59 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 26 22:21:26 CEST 2023
;; MSG SIZE  rcvd: 119

That is wrong as for SRV query you need to use _service._proto.name format, where name==domain.

1 Like