Jump to content

SRV - TLS


andrewgroup

Recommended Posts

I always believe in simplicity but I am open to new ideas. Some recent posts have peaked my interests.

 

In a discussion it was said that DNS SRV records improve or minimize some risks of having SIP open.

 

Could someone explain how this works and how using TLS would be used also. Perhaps and overview would be helpful too.

Link to comment
Share on other sites

2 different topics,

 

SRV is basically how SIP uses DNS to create a failover mechanism. With MGCP, phones are given multiple media controllers that share a common database and the phones can try different registrars, with SIP, there is only one supported registrar, (at least that I have seen) ..

 

thus the only way to handle it is to tell the phone to go to say sbc.mypbx.com ... then DNS will give out IP addresses in priority order based on standard DNS practices , if one server is down it will go to the next in the list , better than hardcoding IP's, then you can take a server offline for repairs and DNS will resolve to the next in line .. So I can't see how this makes it more secure, a the other option is registering to 64.12.34.45 etc, then if you have an issue, good luck reprogramming 100 phones on the fly ..

 

 

TLS is the encryption of the actual SIP and RTP messages, this means I can run ethereal and intercept your call mesaaging, but can't see it or hear it in a trace as it will be encrypted and I don't have the private key ..

 

yori

Link to comment
Share on other sites

DNS SRV solves a couple of problems:

  • It makes it possible to use only the domain name, not the server name to locate the service. For example, you can use the name "domain.com", not "sip.domain.com" when calling someone.
  • It makes it possible to hide the transport layer to the user. No need to include "transport=tls" in the URI.
  • It makes it possible to support server farm directly from the client without special equipment in the middle. DNS SRV defines weight and priority for parallel servers and failover. While parallel servers are also done on DNS A by randomly shuffling the DNS A results, failover is only possible with DNS SRV and client support.
  • With DNS SRV you can choose any port, not just the default port. This does not really increase security, as it is quite simple to look the port number up using DNS SRV. But it makes is possible to have several domains running on the same macine running on different ports.
  • And it also makes it easier to decide weather to use IPV6 or IPv4 for a service. Well, this applies only to queries that respond directly with the IP address of the service.

Link to comment
Share on other sites

since we have only begun the VoIP revolution, would it be safe to say that exclusively using SRV records will likely limit the number remote systems that can directly place calls to PBXnSIP. Also since a typical business will only have one PBX with an IP address, we gain no redundancy benefit and if you suggest the use of A records too you trump many of the secure benefits of SRV use?

Link to comment
Share on other sites

My suggestion is to use DNS SRV - if you can. The ratio of gains compared to efforts is greater than one. DNS A is just a dirty workaround with many problems.

 

This thread and the recommendations comtained within would be perfect for a Best Practices on the use of DNS SRV records from.

Link to comment
Share on other sites

  • 1 year later...
  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...