Monday, September 14, 2009

Setting up DNS for Internet Calling

Somebody questioned how I was handling DNS inside and outside my network so I figured I'd document what I'm doing for remote users and Internet dialing.

I have the following setup at home right now. This same configuration would apply for a small business that doesn't have static IP's (I'm sure you could cherry pick info here if you do have static IP's too).

My home sip server is in SIP domain (just one i made up while i was writing the book)

I'm on a DSL connection at home with a non-static IP.

My domain is hosted at

My firewall (pfSense) updates with my current IP address

GoDaddy is a CNAME pointing to priority 0, weight 0, port 5060 points to

Copied existing to in /var/named
Modified file and replaced all references to '' with ''.
Edit /etc/named.conf and duplicated info from domain for new domain.
Restart DNS and make sure you can ping / dig new domain.

sipXecs Configuration Server
Buy my book :-)
Add alias to domain (Domain is under System menu) for
Restart all services that request restart.
Add the SIP Trunking services to the SIP Server (Click on server in System->Servers).
Restart all services that request restart.
Enable Internet Dialing and set your internal IP range (under System menu), set the SBC to be sipXbridge-1. Added * as an Intranet Domain.
Enable NAT Traversal and let sipXecs know it is behind a NAT (Click on Internet Calling in System then NAT is on LEFT menu).

Internal Workstations / Phones
Determine where you are pointing for DNS.
If you are pointing at the PBX machine then no worries.
If you are pointing at some other DNS server you'll need to figure out how to get that machine to point to the PBX to resolve your domain (in my case all resolves for the domain can be redirected by pfSense to the PBX and I point to pfSense for my DNS server).

pfSense Firewall Configuration
Turn off automatic NAT so NAT port translation is static (See earlier Blog Entry)
For the following NAT entries, allow pfSense to also create the required firewall rules.
Add NAT entry for External IP port 5060 udp to sipXecs internal IP port 5060 udp.
Add NAT entry for External IP port 5080 udp to sipXecs internal IP port 5080 udp. (only needed if you do SIP Trunks).
Add NAT entry for External IP port range 30000-31000 udp to sipXecs internal IP port range starting at 30000.

So, what does all this do?

Allows my roaming users and other users on the internet to find my sipXecs server via an external IP address that is forwarded in to my PBX.

Allows my internal users to find my sipXecs via an internal IP address.

Allows anybody on the internet to reach me at myextension 'at' sipxecs 'dot' info.

Also, if you add an alias onto your sipXecs user extension that is equal to your e-mail alias, now users can phone you (with url dialing in their softphone) or email you at exactly the same address... voila!


Michael Picher said...

Tweaked the instructions a bit, reminding people to edit the new DNS zone file and replace references to their existing DNS domain with the new external DNS domain.

Charlie said...

You said "Add NAT entry for External IP port range 30000-31000 to sipXecs internal IP port range starting at 30000" - what is the internal 30000 for and what does it end in - also 31000? you were not consistent as you were with the SIP. Also, is it UDP also?

Michael Picher said...

Hi Kyle,

Sorry, 30000 through 31000 udp (that is a range).

This range of UDP ports is for the RTP (the media / voice).


Anonymous said...


Is there a reason why your internal domain is different then your external domain
I mean cound't they be the same?
and is it ok to use .com in your private domain?

ps: I do have your book. :-)

cheers for the blog,

Michael Picher said...

They absolutely could be the same. Many organizations however have an internal Microsoft DNS domain and a public facing internet domain. Microsoft actually advocates for this on most installs.

If you use the same domain inside and out, it requires that you publish all of your external references to your internal DNS server. This just seems to blow some people's minds.