Asterisk 15.6.1/PJSIP: Outbound calls occasionally rejected

Occasionally when placing an outbound call through my ITSP the call gets rejected with status 403 ‘forbidden’. I’ve tracked down the problem to:

  1. My ITSP requires registration prior to accepting outbound calls.
  2. My ITSP likes to change around the IP address that it’s SIP server DNS name points to as he sees fit (often many times a day)

This leads to the situation where the last registration was made with ITSP server IP A, but at the time an outgoing call is to be made, the DNS name points to ITSP server IP B (which of course we have not -yet- registered to), thus server B rejects the call with status 403.

My understanding is that there is no DNS caching performed within PJSIP, so each time a name needs to be resolved, it will be done anew. So I tried to enable dnsmgr in asterisk to play around with it, but to my surprise it does not seem to cache anything. Each time I check ‘dnsmgr status’ it states that it has 0 entries cached. Does dnsmgr not work with PJSIP?

The solution to the problem seems to be to cache DNS responses between registrations, but right now I don’t see how this could be achieved either through asterisk/pjsip nor using bind. If anyone can think of a workable solution, I would be glad to hear about it.

Dnsmgr is only used within PJSIP for the external_* configuration options. If using Asterisk 13 then it can cache entries according to the TTL in the DNS response. If using a version above then if the ‘unbound’ resolver is used it will do the same. If the ‘system’ resolver is used then the application doesn’t cache, but the resolver it uses may cache.

Asterisk runs on the gateway machine and has access to both public and private interfaces, thus there is no NAT involved and no ‘external_*’ configuration options. DNS server is bind911-9.11.5 acting as a recursive caching DNS server with the exception of the ITSP sip domain which gets forwarded to my ISP’s name servers as these are the only ones able to resolve the address/domain.

Honestly, I don’t see an easy solution to this problem. DNS server does not know when the next REGISTER is due and the TTL probably times out somewhere in between registrations, leaving a time frame of up to an hour where things can possibly go south. Asterisk on the other hand does not know/care about the DNS TTL and just resolves the address each time if/when it’s needed. And the question why this ITSP does not challenge for authentication but instead just bumps the call with a 403 response is probably a whole story of it’s own. I would be very much interested how those devices usually handed out by ISPs like that one (aka FritzBox) handle such sick setups on the ISP’s side.