Plantronics + Polycom. Now together as Poly Logo

INVITE vaidation causing DNS lookups, delays

SOLVED
Squigley
Valued Contributor

INVITE vaidation causing DNS lookups, delays

Hi,

 

We have our devices configured to use INVITE validation, to stop phantom ringing from SIP worms that spew INVITEs all over the place, and lousy NAT routers that implement full cone NAT.

 

This works, however the issue we've noticed this has caused now, is that as a result, the phones are attempting to perform DNS lookups agains their server name, even though they're registering through an outbound proxy, which is where the INVITEs are coming from.

 

ie, phone has a server of "nonexistant.domain.com" and the outbound proxy is a valid DNS name.

 

When the INVITE is sent, the phone sits there for 6 seconds, trying to resolve nonexistant.domain.com for NAPTR, SRV, and A records, against both of it's DNS servers, taking either 6 or 12 seconds, before it will finally respond "Trying" to the proxy.

 

The log ends up containing:

 

1209103858|ares |4|03|aresDnsLookup: select time-out 1 on A lookup for 'nonexistant.domain.com' after 1 sec
1209103900|sip  |4|03|doDnsListLookup(udp): doDnsSrvLookupForARecordList 'nonexistant.domain.com' found no records

 

As a result calls are taking too long to come up, and our switch considers the phone dead, so when the OK packet comes in ~20 seconds later, as it took over 5 seconds to respond to the initial INVITE (and in some cases doesn't send a Trying or Ringing), the switch then doesn't respond to the OK with an ACK, and after 20 seconds or so, the Polycom gives up and sends BYE.

 

I thought that I could add DNS cache entries for "nonexistant.domain.com" to point to our switch, but then realised because the phone has valid DNS servers available it's still going to spend 6 seconds or more trying to resolve before it will fail and use the cache.

 

Is there a way to disable this DNS lookup? The validation should be getting done against the source IP of the INVITE anyway, which it would see was the IP of the proxy it was registered against.

 

Thanks.

Message 1 of 9
1 ACCEPTED SOLUTION

Accepted Solutions
Squigley
Valued Contributor

Re: INVITE vaidation causing DNS lookups, delays

This ticket dragged on for months, and in the end Polycom's conclusion was "this is working as designed". We had already long given up, and changed the local SIP port.

 

We have just had to revisit this, as SIP worms are now targetting port 5080, where we relocated all the phones. Our configuration is now different. We no longer use an Outbound Proxy Server for registration, and we register all our phones against valid Registration Server addresses.

 

In recent testing against VVX phones running FW 5.1.2 and 5.1.3, no DNS lookups are triggered in response to receiving an INVITE when INVITE validation is enabled against the source. The phone either accepts and responds to the INVITE immediately, or it responds "400 Bad Request" when the source is not a registration server. It even works correctly when the phone loses access to a working DNS server, and is registering using DNS Cache entries configured in the phone.

 

So in conclusion, if you are using this in an environment where the phones are configured to register via an Outbound Proxy, the phone requires properly working DNS servers. If the phones are configured to register directly to the registration servers, then unreliable or broken DNS will not affect the phone's ability to validate the INVITEs.

View solution in original post

Message 7 of 9
8 REPLIES 8
SteffenBaierUK
Polycom Employee & Community Manager

Re: INVITE vaidation causing DNS lookups, delays

Hello Squigley,

welcome back to the Polycom Community.

As an experienced community advisor there are two things:

 

  • Could you be so kind and follow up originally posted topics with requested updates ?

  • In addition it is always useful to post the currently used software version and possibly the phone you experienced the issue.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 9
Squigley
Valued Contributor

Re: INVITE vaidation causing DNS lookups, delays

Hi Steffen,

 

We've noticed this with lots of different phones, which is why I didn't include that information, however so far I've seen it (in packet captures) with:

 

PolycomSoundPointIP-SPIP_335-UA/4.0.4.2906 (x18)

PolycomSoundPointIP-SPIP_550-UA/4.0.4.2906

 

I suspect this will affect every phone we have running 4.0.4.2906, which is 2925 of them.

 

I've been dealing with customer complaints and trying to get the issue resolved, so I haven't had a chance to test against the VVX platform yet, or the legacy 3.1.8/3.3.5 platforms, so I'm not sure if they're affected.

 

I can remove the validation as a workaround, but then we'll be back to the issue of "ghost" calls making the phones ring from recieving unauthorised INVITEs, and we have over 100 customers affected by this issue.

Message 3 of 9
SteffenBaierUK
Polycom Employee & Community Manager

Re: INVITE vaidation causing DNS lookups, delays

Hello Squigley,

 

this should be urgently reported via your Polycom reseller to our support team in order to verify this.

 

I believe the voIpProt.SIP.requestValidation.x.request Parameter should work with a Proxy but would need to reproduce this in my lab.

 

As such activity is outside the scope of the community only a escalation as described above can be utilized.

 

Please post or email me the Polycom ticket reference number so I can keep an eye on the ticket.

 

Best Regards

 

Steffen Baier

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 9
Squigley
Valued Contributor

Re: INVITE vaidation causing DNS lookups, delays

HI Steffen,

 

We are a reseller, so I've escalated this, and the ticket number is 1-460050671

 

Thanks.

Message 5 of 9
Squigley
Valued Contributor

Re: INVITE vaidation causing DNS lookups, delays

 

We've had no response to our ticket from Polycom yet, and after doing random checks on phones, I was seeing delays and issues all over the place, so I had to remove the validation settings and reboot over 3500 phones.

 

I've used the voIpProt.SIP.local.port and legacy voIpProt.local.port settings to move all the phones from using 5060, which should resolve the issue, however it may cause us issues with people using restrictive firewalls or routers with QoS based on source port of 5060.

Message 6 of 9
Squigley
Valued Contributor

Re: INVITE vaidation causing DNS lookups, delays

This ticket dragged on for months, and in the end Polycom's conclusion was "this is working as designed". We had already long given up, and changed the local SIP port.

 

We have just had to revisit this, as SIP worms are now targetting port 5080, where we relocated all the phones. Our configuration is now different. We no longer use an Outbound Proxy Server for registration, and we register all our phones against valid Registration Server addresses.

 

In recent testing against VVX phones running FW 5.1.2 and 5.1.3, no DNS lookups are triggered in response to receiving an INVITE when INVITE validation is enabled against the source. The phone either accepts and responds to the INVITE immediately, or it responds "400 Bad Request" when the source is not a registration server. It even works correctly when the phone loses access to a working DNS server, and is registering using DNS Cache entries configured in the phone.

 

So in conclusion, if you are using this in an environment where the phones are configured to register via an Outbound Proxy, the phone requires properly working DNS servers. If the phones are configured to register directly to the registration servers, then unreliable or broken DNS will not affect the phone's ability to validate the INVITEs.

View solution in original post

Message 7 of 9
robertrozario
Advisor

Re: INVITE vaidation causing DNS lookups, delays

Hi, 

We are a  service provider and we have experienced this issue on our VVX range handsets on various firmware from 4.1.x to 5.5.1 We have around 20K handsets in field. 

Has anyone else experienced this issue. ?

Is it still ongoing.?

We use below config

<requestValidation
voIpProt.SIP.requestValidation.digest.realm=""
voIpProt.SIP.requestValidation.1.method="source"
voIpProt.SIP.requestValidation.1.request="INVITE"
/>

We see dns attempts and calls are delayed by 4 - 8 seconds. 

We use outbound proxy.

when dns server becomes unreachable, we see this issue.

Regards

Robert

 

Message 8 of 9
SteffenBaierUK
Polycom Employee & Community Manager

Re: INVITE vaidation causing DNS lookups, delays

Hello @robertrozario,

welcome back to the Polycom community.

Some or a couple of your old post(s) => here <= are still open / pending as you have not marked these as "Accept as a solution" or at least provided some form of feedback or answer.

If they are in this state nobody finding them via a community search will know if an answer or advice provided was useful and has maybe helped you.

Could you therefore kindly go over them and mark or answer as appropriate ?

If they are marked as "Accept as a solution" other users can find these easier and it helps them to utilise the community more efficiently.

 

So please update / mark your old post and for your new post contact Polycom support as none of your mentioned Software Versions are currently supported.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 9 of 9