Device authentication failed vs not a local domain

In my asterisk console I sometimes get “not a local domain” and sometimes “handle_request_invite: Failed to authenticate device” from hackers.

I have domain set in sip.conf under [general] so I would have thought all requests to @ip address would get a reply “not a local domain”. Are the devices getting “handle_request_invite: Failed to authenticate device” cached registrations? If so, can I flush them?

Here is my sip.conf, redacted. Any suggestions for improvements would be greatly appreciated.

[general]
transport=udp
context=default
alwaysauthreject=yes
allowoverlap=no
udpbindaddr=0.0.0.0
udpbindport=5060
tcpenable=no
localnet=10.0.0.0/255.0.0.0
externip=123.45.678.90
nat=force_rport,comedia
preferred_codec_only=yes
disallow=all
allow=ulaw
;sipdebug=yes
; sip domain settings
autodomain = no
domain = asterisk.mydomain.com
domain = internal.mydomain.com
; sip-to-sip security related settings
allowexternaldomains = no
allowguest = no

twilio
type=peer
context=some_context
host=123456789.pstn.twilio.com
dtmfmode=rfc2833
canreinvite=no
insecure=invite,port
qualify=no

friends_internal
type=peer
host=dynamic
context=from-internal
dtmfmode=rfc2833
disallow=all
allow=ulaw

markhorrocks
secret=haha
deny=0.0.0.0/0.0.0.0
permit=10.0.0.0/255.0.0.0