As explained in my last post showing the FusionPBX architecture, I am currently doing a training with some friends and before going to the wild command line, I am trying to explain information flows. In this article, I am trying to document a simple call flow. Please note that this diagram could vary if you compare with reality as dial-plans always vary from user to user. I have also taken out some SIP answers (in case a SIP purist read it)
DNS tunnelling is just another tunnelling technique. Usually, it is called VPN over DNS too, it is just naming. What it makes it very popular is that not all carriers or network administrators are aware of it or if they are, they don't know exactly how to stop it. Rogers, one of the biggest telecommunication carrier in Canada and Telcel the biggest player of mobile telephony in Mexico, both allow DNS tunnelling (I don't doubt others carriers do as well), so when you run out of data in your plan you can still connect if you configure it in your mobile. This is because smartphones need to connect to some carrier servers regardless if you have right to 2G/3G/4G data access or not; smartphones still have access to the local DNS server. Local networks have the same symptom because DNS is used to access many IT services like the Active Directory, it is very difficult to differentiate between a true legitimate DNS query and DNS tunnelling traffic without proper tools.
Because of this, I am going to describe how this technique works.
This is new to me. Since CentOS 7.3, there have been some security changes. Among those changes, it is the use of the PrivateTmp flag in many services, and of course, Apache is one of them. For those who are more curious about what this flag means, here it is the manual text:
Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp or /var/tmp impossible. If this is enabled, all temporary files created by a service in these directories will be removed after the service is stopped. Defaults to false. It is possible to run two or more units within the same private /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
I am going to explain an Issue I had with one of my customer's PBX.