Description: This document describes how you can control the registration of a SIP terminal (SIP telephone, SIP PBX, etc.) at the provider by using the layer-7 application control. This procedure is suitable for load-balancer scenarios where the SIP terminal should always use the same Internet connection to register with the provider.Requirements: The LANCOM router must operate as a DNS server or DNS forwarder in the network. Clients on the local network must use the router as a DNS server. In addition, clients need to be prevented from using DNS-over-TLS and DNS-over-HTTPS (also in the browser) directly with external DNS servers.This can be achieved with the following options: - The DHCP server has to communicate the IP address of the router as a DNS server. The Internet Setup Wizard configures this by default.
- Firewall rules have to be set up to prevent the direct use of external DNS servers, e.g. by blocking the outgoing port 53 for clients on the source network.
- Firewall rules have to be set up that prevent the direct use of external DNS servers that support DNS-over-TLS, e.g. by blocking the outgoing port 853 for clients on the source network.
- Disable DNS-over-HTTPS (DoH) in the browser.
Notes on how to synchronize the firewall's DNS database: Since the firewall learns its information from the DNS requests of the clients, in certain situations the DNS database will be incomplete. This can happen in the following situations:- A new firewall rule is added, but the client still has a cached DNS entry.
- The router was restarted when the client already has a cached DNS entry.
Helpful in these cases is emptying the DNS cache on the client, rebooting the client, or a time-out of the DNS record on the client. The router’s own services, such as ping, are not handled by the firewall rules. By sending a ping to a full DNS name (without wildcard expressions), the generation of rule resolutions (DNS to IP addresses) can be performed on-demand either from the command line (once) or by a cron job.
Note: Different DNS names that resolve to the same IP address cannot be distinguished. In this case, the first rule that references one of these DNS names will apply. That should not be a problem for large service providers. However, it could occur with small websites hosted by the same vendor.
Example scenario: This example is for configuring the following scenario:- Two Internet connections and a load balancer are available:
- LOADBLANCER with routing tag 0
- INTERNET with routing tag 1 and
- INTERNET2 with routing tag 2
How to configure a scenario like this is described in the following Knowledge Base article |