Hi,
I'm interested in using DNS blacklisting to stop transmitting SIP requests towards UAS endpoints that are non-responsive. I am on version 1.2, but I can't get it to work properly.
Here is what I am trying to do:
1) I get a message from a UAC that needs to be sent towards 1 of 4 destination UAS endpoints.
2) I setup the OpenSER to perform an SRV lookup which returns a record that has four A records associated with it. It looks as follows:
;; QUESTION SECTION: ;_sip._udp.aimcidfilter.com. IN SRV
;; ANSWER SECTION: _sip._udp.aimcidfilter.com. 60 IN SRV 1 100 5061 spinner.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 2 100 5061 bart.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 3 50 5061 homer.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 3 50 5061 crunch.eng.rr.com.
3) The OpenSER does a gethostbyname which performs a DNS A record lookup and gets a response for spinner.eng.rr.com.
4) When the OpenSER sends towards spinner.eng.rr.com, it does not get a SIP response from it. *It is at this point I was hoping that OpenSER would blacklist this UAS endpoint*, but for each incoming request that is received by the OpenSER, it continues to resolve the domain in the same manner and sends towards spinner.eng.rr.com even though there is no SIP response.
Is what I am trying to do in accordance with how OpenSER blacklisting is supposed to work?
I am trying to have OpenSER send towards bart.eng.rr.com when spinner.eng.rr.com is not responding or is not reachable.
My configuration is as below. Note that I have even tried to disable sending towards spinner.eng.rr.com by manually adding a dst_blacklist entry - that doesn't even seem to work for me.. Am I doing something wrong?
I have also attached a log file.
Here is my output from openserctl
# openserctl fifo list_blacklists 200 OK List:: net_filter owner=13 flags=1 Rule:: flags=0 IP:: 65.185.233.55 Mask:: 255.255.255.255 Proto:: 0 Port:: 5061 List:: dns owner=17 flags=6
--------------- # # Openser.cfg # ----------- global configuration parameters ------------------------
debug=5 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E)
maxbuffer=1048576
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #reply_to_via=1 children=4 log_facility=LOG_LOCAL4 dns_use_search_list=no dns_servers_no=2 user="sipproxy" group="sipproxy" disable_dns_blacklist=no disable_dns_failover=no dns_try_ipv6=no dns_retr_time=2 dns_retr_no=2 dst_blacklist = net_filter:{ ( any , 65.185.233.55, 5061 , "" )} # block towards spinner
listen=udp:65.185.232.62:5060
alias=65.185.233.104:5060
# LOAD OpenSER MODULES mpath="/sw/lib/openser/modules/" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "acc.so" loadmodule "mi_fifo.so" loadmodule "xlog.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic ------------------- modparam("acc", "log_level", 2) modparam("acc", "log_flag", 1) modparam("acc","report_cancels", 1) modparam("acc","failed_transaction_flag", 1) modparam("acc","log_extra", "req_uri=$rU") modparam("tm", "fr_timer", 5) modparam("tm","fr_inv_timer",5) modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
# main routing logic
route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route();
# subsequent messages within a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };
if (!uri==myself) { route(1); };
if (method=="OPTIONS") { sl_send_reply("200", "OK"); exit; }
if (uri =~ "^sip:feature_fs@" || method=="NOTIFY") { xlog("L_DBG", "TWC: received incoming message:\n <$mb>\n"); seturi("sip:feature_fs@aimcidfilter.com"); setflag(1); route(1); } else { sl_send_reply("404", "Not Found"); }; }
##################################################### # Default Message Handler ##################################################### route[1] {
# Send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; }
Hi Tim,
can you get and send me the output in full debug mode (debug=6) ? if too bug, just send it to me privately....and also be sure to get the whole call...
regards, bogdan
Tim Madorma wrote:
Hi,
I'm interested in using DNS blacklisting to stop transmitting SIP requests towards UAS endpoints that are non-responsive. I am on version 1.2, but I can't get it to work properly.
Here is what I am trying to do:
- I get a message from a UAC that needs to be sent towards 1 of 4
destination UAS endpoints.
- I setup the OpenSER to perform an SRV lookup which returns a record
that has four A records associated with it. It looks as follows:
;; QUESTION SECTION: ;_sip._udp.aimcidfilter.com. IN SRV
;; ANSWER SECTION: _sip._udp.aimcidfilter.com. 60 IN SRV 1 100 5061 spinner.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 2 100 5061 bart.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 3 50 5061 homer.eng.rr.com. _sip._udp.aimcidfilter.com. 60 IN SRV 3 50 5061 crunch.eng.rr.com.
- The OpenSER does a gethostbyname which performs a DNS A record
lookup and gets a response for spinner.eng.rr.com.
- When the OpenSER sends towards spinner.eng.rr.com, it does not get
a SIP response from it. *It is at this point I was hoping that OpenSER would blacklist this UAS endpoint*, but for each incoming request that is received by the OpenSER, it continues to resolve the domain in the same manner and sends towards spinner.eng.rr.com even though there is no SIP response.
Is what I am trying to do in accordance with how OpenSER blacklisting is supposed to work?
I am trying to have OpenSER send towards bart.eng.rr.com when spinner.eng.rr.com is not responding or is not reachable.
My configuration is as below. Note that I have even tried to disable sending towards spinner.eng.rr.com by manually adding a dst_blacklist entry - that doesn't even seem to work for me.. Am I doing something wrong?
I have also attached a log file.
Here is my output from openserctl
# openserctl fifo list_blacklists 200 OK List:: net_filter owner=13 flags=1 Rule:: flags=0 IP:: 65.185.233.55 Mask:: 255.255.255.255 Proto:: 0 Port:: 5061 List:: dns owner=17 flags=6
# # Openser.cfg # ----------- global configuration parameters ------------------------
debug=5 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E)
maxbuffer=1048576
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #reply_to_via=1 children=4 log_facility=LOG_LOCAL4 dns_use_search_list=no dns_servers_no=2 user="sipproxy" group="sipproxy" disable_dns_blacklist=no disable_dns_failover=no dns_try_ipv6=no dns_retr_time=2 dns_retr_no=2 dst_blacklist = net_filter:{ ( any , 65.185.233.55, 5061 , "" )} # block towards spinner
listen=udp:65.185.232.62:5060
alias=65.185.233.104:5060
# LOAD OpenSER MODULES mpath="/sw/lib/openser/modules/" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "acc.so" loadmodule "mi_fifo.so" loadmodule "xlog.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic ------------------- modparam("acc", "log_level", 2) modparam("acc", "log_flag", 1) modparam("acc","report_cancels", 1) modparam("acc","failed_transaction_flag", 1) modparam("acc","log_extra", "req_uri=$rU") modparam("tm", "fr_timer", 5) modparam("tm","fr_inv_timer",5) modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
# main routing logic
route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages within a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); }; if (!uri==myself) { route(1); }; if (method=="OPTIONS") { sl_send_reply("200", "OK"); exit; } if (uri =~ "^sip:feature_fs@" || method=="NOTIFY") { xlog("L_DBG", "TWC: received incoming message:\n <$mb>\n"); seturi("sip:feature_fs@aimcidfilter.com"); setflag(1); route(1); } else { sl_send_reply("404", "Not Found"); };}
##################################################### # Default Message Handler ##################################################### route[1] {
# Send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit;}
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
Tim Madorma