For the domain leakage, I suggest
If your firewall allows everything from your VSP first you can safely move to a different port for UDP before dropping UDP/5060 later but I suggest also moving the transport to TLS which apparently voip.ms supports or at least TCP
https://wiki.voip.ms/article/Call_Encryption_-_TLS/SRTP
If your VSP insists on only UDP/5060 for ip connections then SNAT/PNAT 5060 to your listening port for the VSP’s IP’s or move to registration
as a kind of aside, use a current version of fail2ban, use pyinotify for the backend and enable the recidive jail, and adjust the asterisk jail to reflect your port changes but given the above, it wont be needed too often.
Having done the above IWFM