andrewgroup Posted January 31, 2008 Report Share Posted January 31, 2008 I always believe in simplicity but I am open to new ideas. Some recent posts have peaked my interests. In a discussion it was said that DNS SRV records improve or minimize some risks of having SIP open. Could someone explain how this works and how using TLS would be used also. Perhaps and overview would be helpful too. Quote Link to comment Share on other sites More sharing options...
brandywinetech.com Posted January 31, 2008 Report Share Posted January 31, 2008 2 different topics, SRV is basically how SIP uses DNS to create a failover mechanism. With MGCP, phones are given multiple media controllers that share a common database and the phones can try different registrars, with SIP, there is only one supported registrar, (at least that I have seen) .. thus the only way to handle it is to tell the phone to go to say sbc.mypbx.com ... then DNS will give out IP addresses in priority order based on standard DNS practices , if one server is down it will go to the next in the list , better than hardcoding IP's, then you can take a server offline for repairs and DNS will resolve to the next in line .. So I can't see how this makes it more secure, a the other option is registering to 64.12.34.45 etc, then if you have an issue, good luck reprogramming 100 phones on the fly .. TLS is the encryption of the actual SIP and RTP messages, this means I can run ethereal and intercept your call mesaaging, but can't see it or hear it in a trace as it will be encrypted and I don't have the private key .. yori Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted January 31, 2008 Report Share Posted January 31, 2008 DNS SRV solves a couple of problems: It makes it possible to use only the domain name, not the server name to locate the service. For example, you can use the name "domain.com", not "sip.domain.com" when calling someone. It makes it possible to hide the transport layer to the user. No need to include "transport=tls" in the URI. It makes it possible to support server farm directly from the client without special equipment in the middle. DNS SRV defines weight and priority for parallel servers and failover. While parallel servers are also done on DNS A by randomly shuffling the DNS A results, failover is only possible with DNS SRV and client support. With DNS SRV you can choose any port, not just the default port. This does not really increase security, as it is quite simple to look the port number up using DNS SRV. But it makes is possible to have several domains running on the same macine running on different ports. And it also makes it easier to decide weather to use IPV6 or IPv4 for a service. Well, this applies only to queries that respond directly with the IP address of the service. Quote Link to comment Share on other sites More sharing options...
andrewgroup Posted January 31, 2008 Author Report Share Posted January 31, 2008 since we have only begun the VoIP revolution, would it be safe to say that exclusively using SRV records will likely limit the number remote systems that can directly place calls to PBXnSIP. Also since a typical business will only have one PBX with an IP address, we gain no redundancy benefit and if you suggest the use of A records too you trump many of the secure benefits of SRV use? Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted January 31, 2008 Report Share Posted January 31, 2008 My suggestion is to use DNS SRV - if you can. The ratio of gains compared to efforts is greater than one. DNS A is just a dirty workaround with many problems. Quote Link to comment Share on other sites More sharing options...
andrewgroup Posted February 2, 2008 Author Report Share Posted February 2, 2008 My suggestion is to use DNS SRV - if you can. The ratio of gains compared to efforts is greater than one. DNS A is just a dirty workaround with many problems. This thread and the recommendations comtained within would be perfect for a Best Practices on the use of DNS SRV records from. Quote Link to comment Share on other sites More sharing options...
pbxuser911 Posted August 18, 2009 Report Share Posted August 18, 2009 stupid question, but hey you gotta ask what would be a perfect DNS SRV entry? thus far ive been doing it .sip._udp.pbx IN SRV 10 10 5060 PBX1 do i need to create multiple DNS SRV records in UDP and in TCP? or it only uses UDP? Quote Link to comment Share on other sites More sharing options...
hosted Posted December 5, 2009 Report Share Posted December 5, 2009 this is what our SRV looks like: _sip._udp.domain.com SRV 0 10 5060 sip53.domain.com. _sip._udp.domain.com SRV 0 10 5060 sip54.domain.com. _sip._udp.domain.com SRV 0 40 5060 sip52.domain.com. _sip._udp.domain.com SRV 0 40 5060 sip51.domain.com. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.