[OpenSER-Users] DNS blacklisting problem

[Tim Madorma]

Hi,

I'm interested in using DNS blacklisting to stop transmitting SIP
requests towards UAS endpoints that are non-responsive. I am on
version 1.2, but I can't get it to work properly.

Here is what I am trying to do:

1) I get a message from a UAC that needs to be sent towards 1 of 4
destination UAS endpoints.

2) I setup the OpenSER to perform an SRV lookup which returns a record
that has four A records associated with it. It looks as follows:

;; QUESTION SECTION:
;_sip._udp.aimcidfilter.com.    IN      SRV

;; ANSWER SECTION:
_sip._udp.aimcidfilter.com. 60  IN      SRV     1 100 5061 spinner.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     2 100 5061 bart.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     3 50 5061 homer.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     3 50 5061 crunch.eng.rr.com.


3) The OpenSER does a gethostbyname which performs a DNS A record
lookup and gets a response for spinner.eng.rr.com.

4) When the OpenSER sends towards spinner.eng.rr.com, it does not get
a SIP response from it. *It is at this point I was hoping that OpenSER
would blacklist this UAS endpoint*, but for each incoming request that
is received by the OpenSER, it continues to resolve the domain in the
same manner and sends towards spinner.eng.rr.com even though there is
no SIP response.

Is what I am trying to do in accordance with how OpenSER blacklisting
is supposed to work?

I am trying to have OpenSER send towards bart.eng.rr.com when
spinner.eng.rr.com is not responding or is not reachable.

My configuration is as below. Note that I have even tried to disable
sending towards spinner.eng.rr.com by manually adding a dst_blacklist
entry - that doesn't even seem to work for me.. Am I doing something
wrong?

I have also attached a log file.

Here is my output from openserctl

# openserctl fifo list_blacklists
200 OK
List:: net_filter owner=13 flags=1
        Rule::  flags=0
                IP:: 65.185.233.55
                Mask:: 255.255.255.255
                Proto:: 0
                Port:: 5061
List:: dns owner=17 flags=6


---------------
#
# Openser.cfg
# ----------- global configuration parameters ------------------------

debug=5            # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no    # (cmd line: -E)

maxbuffer=1048576

check_via=no    # (cmd. line: -v)
dns=no          # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#reply_to_via=1
children=4
log_facility=LOG_LOCAL4
dns_use_search_list=no
dns_servers_no=2
user="sipproxy"
group="sipproxy"
disable_dns_blacklist=no
disable_dns_failover=no
dns_try_ipv6=no
dns_retr_time=2
dns_retr_no=2
dst_blacklist = net_filter:{ ( any , 65.185.233.55, 5061 , "" )} #
block towards spinner

listen=udp:65.185.232.62:5060

alias=65.185.233.104:5060

# LOAD OpenSER MODULES
mpath="/sw/lib/openser/modules/"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "acc.so"
loadmodule "mi_fifo.so"
loadmodule "xlog.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

modparam("usrloc", "db_mode",   0)

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# -------------------------  request routing logic -------------------
modparam("acc", "log_level", 2)
modparam("acc", "log_flag", 1)
modparam("acc","report_cancels", 1)
modparam("acc","failed_transaction_flag", 1)
modparam("acc","log_extra", "req_uri=$rU")
modparam("tm", "fr_timer", 5)
modparam("tm","fr_inv_timer",5)
modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")

# main routing logic

route{
        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops");
                exit;
        };

        if (msg:len >=  2048 ) {
                sl_send_reply("513", "Message too big");
                exit;
        };

        # we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        if (!method=="REGISTER")
                record_route();

        # subsequent messages within a dialog should take the
        # path determined by record-routing
        if (loose_route()) {
                # mark routing logic in request
                append_hf("P-hint: rr-enforced\r\n");
                route(1);
        };

        if (!uri==myself) {
                route(1);
        };

        if (method=="OPTIONS") {
            sl_send_reply("200", "OK");
            exit;
        }

        if (uri =~ "^sip:feature_fs@" || method=="NOTIFY") {
            xlog("L_DBG", "TWC: received incoming message:\n <$mb>\n");
            seturi("sip:feature_fs at aimcidfilter.com");
            setflag(1);
            route(1);
        }  else {
          sl_send_reply("404", "Not Found");
        };
}

#####################################################
# Default Message Handler
#####################################################
route[1] {

        # Send it out now; use stateful forwarding as it works reliably
        # even for UDP2TCP
        if (!t_relay()) {
                sl_reply_error();
        };
        exit;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openser_excerpt.log
Type: application/octet-stream
Size: 342294 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20070927/51463210/attachment.obj>