Proxied IP address with SIP PBX for IP authentication

Will Cloudflare’s proxied DNS records (https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records) work for IP authentication for a SIP PBX?

I am setting up a SIP PBX at home and have a dynamic IP address from my ISP. My SIP trunking provider can do IP authentication to a dynamic IP address using a FQDN (A record) that is updated to that IP address. Cloudflare supports DDNS via DNS-O-Matic for dynamic DNS updating (https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses/). The firewall at my home can perform dynamic DNS updating using DNS-O-Matic (ddclient Pearl client). This all seems good, but Cloudflare proxies IP addresses for A, AAA, and CNAME records and those are dynamic IP addresses.

Will the dynamic update (ddclient) work with a proxied DNS records, that is, does the update change the target of the proxy such that the proxied IP address will now go to my updated IP address (not change the IP address to which the FQDN resolves, which is the normal way that DDNS works) or does ddclient only work on a DNS hostname that has a non-proxied IP address?

If the former, will the proxy correctly handle the IP authentication for SIP? Will the SIP provider see the proxied IP address as not matching my IP address such that the authentication will fail?Preformatted text

Welcome to the Cloudflare Community. :logodrop:

You can use the dynamic DNS, but you cannot use the proxy for SIP. The proxy only supports HTTP and HTTPS traffic, and only on specific ports.

Dear epic.network,

Thank you very much for explaining that dynamic DNS (DDNS) will work for a proxied IP address but not for SIP. Proxy supporting only HTTP and HTTPS makes sense as (one of) the purpose(s) of the proxy is to cache the web content and SIP (or other services such as SSH) can’t be cached.

I think what you are saying is that the DDNS update will update the IP address to which the proxy connects, not the IP address that is returned in a NSLOOKUP.

What happens if a FQDN that has a proxied IP address is used for some non-web protocol (e.g., SIP/SSH), ports other than 80 and 443? Does Cloudflare just not respond (stelth) or does it send some response indicating that the service is not supported?

I think that what you are saying is that an FQDN that has a proxied IP address cannot be used for anything other than HTTP and HTTPS, regardless if the IP address is static or dynamic. Also SIP via IP authentication using an FQDN will not work regardless of whether it is using a static or dynamic IP address. IP authentication with a static IP address (not using a DNS name) should work and SIP register with authentication should work (for a dynamic or static IP address) because it uses the final IP address, not a FQDN.

Am I correct in that the only way to get a host name that is not proxied (to be able to use DDNS with a FQDN for SIP IP authentication) is to use an enterprise Cloudflare account (not practical for my home use)?

So it seems that Cloudflare DNS service (with proxied IP addresses) would be useful if I wanted to run a web server from my location, but not otherwise useful to me.

You misunderstood the dynamic DNS. It works just fine with both :orange: *Proxied * and :grey: DNS Only hostnames on all subscriptions, including the free one.

Thank you for your explanation that dynamic DNS (DDNS) works with both Proxied and DNS Only hostnames. Hopefully I am now understanding correctly that SIP must use a DNS Only hostname (and it can use DDNS).

I was able to add an A record for the hostname to use for SIP as a DNS Only name (with my free account).

I think this is going to work now. Next I will setup my firewall to dynamically update that hostname and then change the domain registrar to point to the Cloudflare name servers.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.