ENUM Best Practices - cesnet

ENUM Best Practices 

 

Ing. Lukáš Macura 

 

 

 

 

CESNET 

Obchodně podnikatelská fakulta v Karviné 

CESNET VoIP team

Contents 

 

 

 

 

 

 

 

 

 

Theory 

Setting DNS records 

Using ENUM trees 

Implementation in Asterisk 

Implementation in Kamailio 

Common problems 

Security 

Monitoring 

Conclusions

Theory 

 

 

 

 

 

ENUM is defined in RFC3761 

It ”maps” E.164 numbers into DNS 

NAPTR records 

More trees should be used (in theory, one is 

enaugh) 

Can be implemented on phone or PBX

Theory 

 

 

 

 

 

 

... 

ENUM is not VoIP 

ENUM can hold any mapping 

Can be used for number portability (Jan Rudinsky) 

PhNUM -- an ENUM-based service (Carsten Schiefner) 

E2MD – ENUM to metadata (Bernie Hoeneisen)

Theory 

 

 

 

 

Which point of view? 

User 

Company 

Operators

Theory 

 

Scenario - e164.arpa.

Theory 

 

 

 

 

We want to map number (+420 123451 XXX) 

into (SIP) uri sip:xxxxxxxxx@firma1.cz 





Anybody can use our records to call us.

Setting DNS Records 

 

 

 

 

 

 

 

 

We should use SRV records 

Anybody wants to call directly sip:xxx@firma1.cz 

Nobody knows our infrastructure. 

Where is UDP SIP server for @firma1.cz? 

_sip._udp IN SRV 20 0 5060 asterisk1.firma1.cz. 


Where is TLS SIPS server for @firma1.cz? 

_sips._tcp IN SRV 10 0 5061 kamailio.firma1.cz. 

 

We prefer sips uri, due to lower order (10) 

 

We want to loadbalance SIP server over two asterisks (same 

priority and weight)


 

 

 

 

 

 

 

 

 

 

Now let us setup NAPTR to make mapping 

Anybody wants to call +420 123451 XXX 

Without ENUM, user has to use PSTN and pay for call 

We have delegated 5.4.3.2.1.0.2.4.e164.arpa: 

5.4.3.2.1.0.2.4 IN NS ns.firma1.cz. 

So zone data are in our DNS server 

Entire mapping is in our zone 

We do not need anybody to change it 

It is decentralized structure, any company taking care of its 

records 

Very flexible instead of old style PSTN routing


 

Our zone for firma1.cz: 

$ORIGIN firma1.cz. 



_sips._tcp IN SRV 10 0 5061 kamailio.firma1.cz. 

Asterisk1 IN A 192.168.1.1 ; Yes, this is bad ;) 

Asterisk2 IN A 192.168.1.2 ; Yes, this is bad ;) 

Kamailio IN A 192.168.2.1; Yes, this is bad ;) 

Kamailio IN AAAA .... ; For ipv6 ready systems


 

 

 

 

 

Our zone for ENUM queries: 

All numbers will be stripped to national format (9 numbers) and 

forwarded to our SIP server. 

+420 123451 110 is echo test 

+420 123451 111 is switchboard 

We use '*' records, it is easier for us 

$ORIGIN 1.5.4.3.2.1.0.2.4.e164.arpa. 

* IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" . 

*.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" . 

*.1.1. IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" . 

0.1.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420123451110$!sip:echo@firma1.cz!" . 

1.1.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420123451111$!sip:switchboard@firma1.cz!" .


 

 

 

 

 

It is needed to use more trees 

First, internal query 

Second, e164.arpa. 

Third, nrenum.net. 

Optionaly, e164.org. 

 

 

Hint: It can take some time to ask all servers 

Use local caching dns server


 

 

 

 

 

 

Internal query 

It is highly recomended for large institutions 

Especialy for organizations with decentralized 

management 

Like CESNET (autonomous subjects has their 

numbers and systems) 

Hard to maintain ”central” table of routes. 

Better to use decentralized tree with delegated 

DNS servers.


 

 

 

 

 

 

Internal infrastructure – group of companies 

e164.companies.cz. 

All companies will use this zone first 

Each zone is delegated to DNS server of 

particular company 

Very flexible 

Looks like central routing, but in fact, delegated 

and decentralistic


sip.conf 

 

 

 

 

 

 

[general] 

context=guest 

allowguest=yes 

realm=firma1.cz 

srvlookup=yes 

domain=firma1.cz


RFC Compliant ENUM macro: 

http://www.voip-info.org/wiki/view/RFC+Compliant+ENUM+Macro 

• 

It should handle all common uris 

• 

Asterisk knows more protocols than SIP 

• 

It handles all of protocols known to Asterisk 

 

 

 

Callable via dialplan: 

Macro(routeenum,${EXTEN}) 

Expects international number with '+'


Entire config is out of scope of this document 

loadmodule ”enum.so” 

modparam("enum", "domain_suffix", "e164.arpa.") 

; Somewhere in routing block: 

if (enum_query(”e164.companies.cz.”) { ; Internal query 

} 

route(RELAY); 

if (enum_query(”e164.arpa.”) { ; e164.arpa. query 

} 

route(RELAY); 

if (enum_query(”nrenum.net.”) { ; nrenum.net. query 

} 

route(RELAY); 

;Normal routing 

}


Hints: 

• 

Do not forget to prefix '+' to called number (function prefix()) 

• 

You can use any zone as parameter of enum_query 

• 

enum_query(”nrenum.net”) 

• 

Put it on right place to right routing block 

• 

enum_query will rewrite uri so it is enaught to relay message, 

no next modifications are needed


 

Kam3cfg 

 

./kam3cfg.php --global-prefix '+420' \ 

--local-domains 

'opf.slu.cz^sip.opf.slu.cz^fpf.slu.cz' \ 

--with-enum \ 

--enum-suffixes 

'e164.arpa.^nrenum.net^e164.org' \ 

--subscribers \ 

'123456789@opf.slu.cz/pass/authid


 

 

 

 

 

 

 

 

Kam3cfg 

”highly” configurable 

”easy” to use 

Result is config file 

Can be edited after it 

Supports LDAP, SQL, ENUM, … 

Uses smarty as template engine 

Can be theoreticaly used for opensips 

 

It is beta release, no warranty ;)

Common problems 

 

 

 

 

 

 

 

Take care of DNS zone config 

Do not forget to normalize number to 

international form with '+' 

Use right versions of software (Bugs in Asterisk 

even Kamailio) 

Small change to DNS can break many clents 

Better to use ”less complicated' DNS records 

Decentralized means we trust all subnodes 

Advantages can becomes disadvantages

Common Problems 

 

Revalidation of zones 

 

 

No registry to ask 

Users forgets it 

 

 

No technical solution now 

Dead zones 

 

 

CESNET has ENUM zones monitoring tool 

Helps to find: 

 

 

 

Which zones are expired 

Which zones will expire in short future 

Common mistakes in zone config

Security 

 

 

 

 

We are trusting DNS system 

It is possible to fake response 

We need DNSSEC infrastructure 

More problems to solve 

 

 

 

Not all trees are signed 

We have to use DNSSEC resolvers 

Not supported in many applications

Conclusions 

 

Use ENUM! ;) 

 

But don't trust anybody 

 

 

Ing. Lukas Macura 

CESNET

ENUM Best Practices - cesnet

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?