I’m not aware of a case where Asterisk incorrectly resolves a domain name, and I can’t work out from your description where you think that is happening.
insecure=port is unusual, except for TCP.
type=friend is bad practice. Use type=peer in most cases.
If Asterisk sending 401, it is because the call is coming from an unknown IP address, or because it is coming from a known IP address that has secret or md5secret set, but doesn’t have insecure=invite set, i.e. it configured to authenticate callers.
A 401 will only go on to a failure if the caller doesn’t actually authenticate. Most ITSP’s aren’t prepared to authenticate themselves,and need either remotesecret, instead of secret,or insecure=invite, as well as secret.