0

Implementing DNO blocking

What is a DNO list?

While there are several definitions of a DNO list, we will use concept that a DNO list is a data set of originating numbers (ANIs) that can not originate calls. This list can come in the form of number blocks (e.g. 999XXXXXXX), and specific numbers (e.g. 8008291040, the IRS). Numbers in a DNO list may have different nature, some examples include:

  • The number belongs to an unallocated numbering ranges (e.g. 999111XXXX) and it is not in service.
  • The number is in-service numbers but is marked as inbound-only (e.g. inbound Call Centers)
  • Billing numbers.
  • Disconnected numbers that belong to allocated numbering ranges.

Calls from DNO numbers are a source of illegal, fraudulent or otherwise malicious traffic and the FCC is mandating the blocking of calls with DNO nature.

With Sansay NSS, you have the freedom to choose the deployment model that best aligns with your operational environment. You can seamlessly leverage Sansay’s fully managed DNO service, which provides a turnkey solution to comply with the FCC mandate.  Please contact Sansay Support for more information. 

Organizations that prefer customization can deploy a Bring-Your-Own DNO (BYO-DNO) approach. This option allows you to integrate your existing data sources directly with NSS. The rest of this guide is for a BYO DNO implementation.

VSXi Implementation

Sansay customers with VSXi have the option of implementing DNO in a few ways:

  • STI-AS dip with a an App Server such as Sansay NSS. This allows the call signing or blocking decision to occur on the same dip.
  • LNP or ERS dip. This consists of performing a dip and in the event the call matches DNO criteria a pre-defined number is returned and expected to be blocked. This service is provided in the cloud and works for any device that can handle a INVITE/302 redirect mechanism. Alternate responses are also supported such as INVITE/404 or 503.

If you are not sure which option to pursue, Sansay can help identify the best way to do this in your network.

The VSXi can also be used for DNO blocking with the use of a Digit Mapping Table (DMT). The DMT is recommended for lists that do not exceed 100,000 entries. If you prefer to implement it yourself you can follow this guide: https://support.sansay.com/t/m2d31b/digit-mapping-table-dmt-guided-tutorial#block-calls-from-a-specific-ani

 

NSS Implementation

In addition to regular STI-AS attestation policy rules, NSS supports an Extended policy list that can be used to implement DNO. Numbers included in the Extended policy are tagged with a letter aimed at describing the nature of DNO (e.g. Invalid NPA = I).

The value of the letter is solely informational and can be used to provide context when a call is rejected and/or for internal reporting purposes.

NSS supports the implementation of a DNO list in several ways:

  1. STI-AS and DNO combined dip. DNO match results in a SIP 302 with a predefined Identity Header.
    1. Option A: No identity header. If your network is configured to reject calls without a STIR/SHAKEN signature this would be a good option for you.
    2. Option B: Crafted Identity header with the use of STI-VS. The objective with the crafted Identity header is to facilitate an STI-VS dip on the termination trunk for the call to be rejected. To avoid misleading any readers, please contact Sansay Support.
  2. Stand-alone DNO dip. This is a pre or post STI-AS lookup (e.g. LNP or ERS). 

The response for queries that find a positive match against the DNO is customized using an SMC profile. The SMC profile is assigned as an Egress SMC profile to the originating device/switch as illustrated below.

Updating the DNO List

Updating the DNO list ensures its accuracy and coverage. The DNO list can be updated via NSS GUI or REST API. DNO entries follow the same structure of STI-AS policies.

Updating DNO via GUI

Extended policies corresponding to DNO can be updated in bulk via GUI. The following formats are supported: CSV, XML, JSON. Actions include: Update, Delete and Replace.

Note: Please be extra cautious when using the Replace operation. This operation must also include your regular (STI-AS) policies.

Example CSV inside dno.zip:

SbcID, Otg, Ani, Attestation
any,any,938511,S
any,any,999,I

Updating DNO via API

curl -u xxx:xxx -X POST -k -T dno.zip "https://localhost:8888/ROME/webresources/nss/update/authorizedANI?&format=csv"

Example CSV inside dno.zip:

SbcID, Otg, Ani, Attestation
any,any,938511,S
any,any,999,I

For more information on NSS REST API please follow this link.

Configuration Summary

After having read the above information the steps to implement to DNO are as follows:

  1. Decide operating mode (SIP/603, SIP/302, other).
  2. Upload Extended policy list with DNO data set.
  3. Upload SMC profile.
  4. Attach SMC profile (Egress) to Switch/SBCs.

CNAM Overlay

In addition to call blocking it is possible to overlay information on a calling number instead of opting to block the call. This may be useful when integrating with analytics services where a calling number carries the likelihood of fraud or spam but does not have the same weight as DNO's authoritative accuracy for blocking.

CNAM overlay is switch/SBC implementation specific. We will be updating this document in the near future.

Reply

null
Login to reply

Content aside

Related Articles
Monitor your STIR/SHAKEN Certificate using Cronitor
Transition to Automated Certificate Renewals
Branded Calling ID
NetSapiens SNAP integration with NSS
Kamailio integration with Sansay NSS
NSS Simplified Flow Diagram
NSS Configuration Backup and Restore
Implementing DNO blocking
Freeswitch and NSS integration
Asterisk and NSS integration
Using NSS for STI-AS/STI-VS with ACME SBC
STI-VS Call Presentation Options and VERSTAT handling
STI-AS Attestation Policy Options
Sansay STI-CA