Dynamic address lists via srv entry

RouterOS General
1

Hi,
as far as I can see, until now only A/AAAA calls are allowed via

/ip/firewall/address-list/add list="Test" address="google.de"

But some VoIP providers don’t support direct A/AAAA calls any more, because they use SRV records.
So for creating the dynamic list I need something like:

/ip/firewall/address-list/add list="Test" address="srv <record>"

Has any one an workaround for it, so that I can use dynamic ip lists for filtering?
Current use case:
SIP registrar of the “Telekom Germany”

dig tel.t-online.de
no ;; ANSWER SECTION:
dig SRV _sips._tcp.tel.t-online.de
;; ANSWER SECTION:
_sips._tcp.tel.t-online.de. 2437 IN	SRV	20 0 5061 hno002-l01-mav-pc-rt-001.edns.t-ipnet.de.
_sips._tcp.tel.t-online.de. 2437 IN	SRV	30 0 5061 nes008-f01-mav-pc-rt-001.edns.t-ipnet.de.
_sips._tcp.tel.t-online.de. 2437 IN	SRV	10 0 5061 ffm021-l01-mav-pc-rt-001.edns.t-ipnet.de.
dig ffm021-l01-mav-pc-rt-001.edns.t-ipnet.de
;; ANSWER SECTION:
ffm021-l01-mav-pc-rt-001.edns.t-ipnet.de. 2427 IN A 217.0.146.5

So for the dynamic lists I need the A records for hno002-l01-mav-pc-rt-001.edns.t-ipnet.de, nes008-f01-mav-pc-rt-001.edns.t-ipnet.de and ffm021-l01-mav-pc-rt-001.edns.t-ipnet.de in this case.
But I think also the srv entries are dynamic. So the list must be filled in to steps. First resolve the srv entry and then the A record for each srv record.

2

The only workaround currently available requires scripting. RouterOS is unable to generate a SRV query at all, not just as a way to populate an address list, but it does cache the responses to SRV queries issued by clients. So you can schedule a script that will keep reading the cached responses and update the address list with their contents. Is the following a sufficient hint?

_:foreach dtagSIPs in=[/ip/dns/cache/find where name=_sips.tcp.tel.t-online.de] do={:put [/ip/dns/cache get $dtagSIPs data]}

3

But how to fill the cache?
an simple:

/ip/dns/cache/print

don’t show any _sips._tcp.tel… entries.
Because if I understand the example correctly, it is based on the cache.
But my clients don’t use the internal dns server of the router.

4

The phone must send its SRV query first, or use dig as you did before. The TTL was an hour when I tried a while ago.

5

Hm, but this will result in an huge load on the device I think.
Because the script must be called after every call to the dns service and then hope that the call to the sip server from the client comes after the lists are updated.

6

Running scripts loads the device several orders of magnitude less than routing packets, so you can literally run the check every second without a noticeable impact.

The phone will send the SYN packet to establish a connection to a new server multiple times before giving up so running the script once per second will be enough.

What worries me more is that the phones do not use the Mikrotik as their DNS server, because although it may be possible to use the traffic generator feature to make the Mikrotik send SRV requests to itself, substituting the absent ability to send them the “normal” way, it may receive a different response than the phone, so the phone may attempt to connect to a server the router does not know about. So you would have to just add the fqdns to the list and never remove them, and still there would be a chance that a phone learns about a new server sooner than the router. But since the phone gets three of them, it should not panic if one of them turns out to be unreachable.

Also bear in mind that the SBCs may use different IP addresses for media than for signalling, so if you want to use the address lists to filter the destinations in the internet towards which the phones are allowed to initiate connections, you may end up with silent calls.

7

The main reason not to use the build in one is, that it don’t support DNSsec. So all answers are not trusted.
There is an long topic for it here.
So I have created an future request at the support.