Domain telephony

The study of the SIP protocol led to the understanding that it initially supports work with domain names. In particular, it is enough to create DNS records like SRV and NAPTR to tell SIP clients where to look for your telephony server. As a result, we are able to get users like alex@mysite.ru, director@mysite.ru, 101@mysite.ru and make calls directly to these numbers. In particular, these numbers may coincide with the email address.

Free calls

The time when it will be possible to call via the Internet to any person on his SIP URI number, as well as to a regular phone is still far away, but now you can get clear advantages.

Marketing component: You can advertise your company as the most focused on contact with the client, and give them different ways to communicate with employees.
')
For example, on an employee's business card, you can specify contacts for communication by analogy with an e-mail as sip: director@mysite.ru. The bonus of such a call will be a detour of the voice menu, there is no need to dial an extension number - immediately connect with the employee you are interested in - save your time.

You can make calls to your phone for free directly from the browser through WebRTC from various web services - this is an opportunity to save on the 8 800 hotline bill for telephone bills. Many of your customers can conveniently make calls directly from the computer in one click through the headset and not dial the number on mobile phone.

In most cases, calls to SIP numbers are free for both parties. And they make it possible to fully utilize the possibilities of modern telephony, for example, video communication. You can hold open conferences and seminars.

Consider the setting on the popular office PBX Asterisk

When setting up your own server, a lot of attention should be paid to security. Unfortunately, today telephony is a tasty morsel for hacking.

We believe that Asterisk is already installed and configured for normal calls.

First of all, we check if the firewall is enabled and configured on this server. Configuration example for iptables for Debian. The configuration is saved in /etc/iptables.up. Boot using iptables-restore.

Settings file /etc/iptables.up:

*filter #   ,      :INPUT DROP #    :FORWARD ACCEPT #    :OUTPUT ACCEPT #    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #    -A INPUT -i lo -j ACCEPT #   ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT #    SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # RTP    ,   /etc/asterisk/rtp.conf -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT # SIP  -A INPUT -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT COMMIT 

If necessary, we add rules for the nat and mangle tables, if the server is used as a gateway to the local network.

We do autoload configuration. To do this, add the post-up iptables-restore </etc/iptables.up line to the / etc / network / interfaces file after the interface description:

 allow-hotplug eth1 iface eth1 inet dhcp post-up iptables-restore < /etc/iptables.up 

Further we configure fail2ban for the analysis of logs. I recommend enabling SSH and Asterisk modules. More setup is described here .

Configure DNS records

For calls to a SIP URI, you need to tell the callers where to look for the telephony server. For this purpose, NAPTR and SRV records are used:

The NAPTR record for the mysite.ru domain tells which services are supported:

 ~$ host -t naptr mysite.ru mysite.ru has NAPTR record 10 50 "s" "SIP+D2U" "" _sip._udp.mysite.ru. mysite.ru has NAPTR record 10 51 "s" "SIP+D2U" "" _sip._udp.second.mysite.ru. mysite.ru has NAPTR record 20 50 "s" "SIP+D2T" "" _sip._tcp.mysite.ru. mysite.ru has NAPTR record 20 50 "s" "SIPS+D2T" "" _sips._tcp.mysite.ru. 

In this case, 4 NAPTR records are defined for the mysite.ru domain.

• 10 - Order field - service priority. The lower the value, the higher the priority.
• 50 - Preference field - the rule priority. Checks only for identical Order values. In this case, if the client supports the “SIP + D2U” service, then a request will first be sent to _sip._udp.mysite.ru, if it is not available, then to _sip._udp.second.mysite.ru
• “S” is the Flags field. Indicates that the SRV record is in use.
• “SIP + D2U” - Service field. Protocol that is supported. In this case, SIP using UDP packets. SIP + D2T - for TCP packets. SIPS + D2T use TLS encryption over TCP packets.
• "" - field Regexp. Regular expression to extract a domain name. In this case, empty.
• _sip._udp.mysite.ru. - SRV record name (server responsible for this type of connection).

Next you need to configure the SRV record:

 host -t srv _sip._udp.mysite.ru _sip._udp.mysite.ru has SRV record 10 0 5060 asterisk.mysite.ru. 

• _sip is the Service field. Telephony service.
• _udp - field Proto - protocol. Usually _udp or _tcp.
• mysite.ru - domain name for which an entry is created.
• 10 - Priority field - sets the priority of this entry.
• 0 - weight field - relative priority. Plays value for entries with the same Priority.
• 5060 - Port field. Indicates on which port the server accepts SIP commands.
• asterisk.mysite.ru. - Target field - server name.

As practice has shown, many SIP clients check only SRV records _sip._udp. and _sip._tcp. for your domain excluding information in NAPTR.

More information on the communication of telephony with DNS can be read in the relevant standard .

Configuring Asterisk Server

First, you need to allow calls without authorization and put them in a separate context. To do this in sip.conf:

 [general] ... context=guest-call allowguest=yes ... 

Next, you need to create this context in the extensions.conf file:

 [guest-call] exten = > director,1,Log(NOTICE,Good call IP=${CHANNEL(peerip)}) exten = > director,n,Dial(SIP/105@default) exten = > alex,1,Log(NOTICE, Good call IP=${CHANNEL(peerip)}) exten = > alex,n,Dial(SIP/106@default) exten = > 101,1,Log(NOTICE, Good call IP=${CHANNEL(peerip)}) exten = > 101,n,Dial(SIP/101@default) exten = > _.,1,Log(WARNING,Wrong call IP=${CHANNEL(peerip)}) exten = > _.,n,Playback(bad-user) exten = > _.,n,Hangup() 

Apply configuration sip reload and dialplan reload. In this context, we log all unauthorized calls. Next, the local subscriber is called. Change default to your context with local users. We register here all users for whom we will accept unauthorized calls.

Wrong calls are logged with a separate message. We can add analysis of this message to fail2ban to block the selection, for example, in the configuration file /etc/fail2ban/filter.d/asterisk.conf we add the line:

 failregex = … … … Wrong call IP=<HOST> 

Particular attention should be paid to this dialplan - you only need to allow calls to local users. Correct setting will save you from unpleasant surprises to get a big bill for phone calls.

It should also be remembered that vulnerabilities can be found in any software, for example, in the implementation of the SIP protocol or even an SSH server. Therefore, it is advisable to set limits on the balance with your provider in order to avoid the risk of receiving a huge account.

Virtual Services Solution

Recently, virtual PBX services have become very popular, and many of them allow you to make and receive calls on the SIP URI. There is also a Digital Office service that allows you to bind your domain to a telephony service. Using the services saves you from self-configuration and protection of the telephony server. Most of them work on a prepaid basis and eliminate the risk of receiving large bills.

After setup, you can receive calls from other services and call them. You can also call other Asterisk servers if they support guest calls.