Appliance building with pfSense – Introducing pfDNS!
While reworking the builder system for a commercial client that is
basing their appliance on pfSense we needed a builder target that
could be public and show how to build an appliance from scratch.
Therefore, pfDNS is born! http://snipurl.com/4q1xe
pfDNS
pfDNS is a customized pfSense installation featuring the TinyDNS server package. Host DNS using this appliance. XMLRPC sync support to secondary nameservers means you only need to enter the information on the primary name server making administration a breeze for your primary and secondary name servers. Depending on how popular this gets we might add a website and start making regular releases 
To see how pfDNS was created, check out
tools/builder_scripts/builder_profiles/pfDNS.
Building this appliance could not be easier! Simply copy
tools/builder_scripts/builder_profiles/pfDNS/pfsense_local.sh to
/home/pfsense/tools/builder_scripts/ and run build_iso.sh and presto!
I hope this example appliance will help others on their quest when
building a custom appliance based on the pfSense framework.
Edit: updated version available based on FreeBSD 8 and a newer DNS package with a number of bug fixes.
What do you all think? Leave comments in the blog.
Also, Holger is working on some artwork that I will get in there soon.. I’ll
post an updated ISO at that point (just look for a newer mtime).
EDIT:artwork added, it is a work in progress but gives a better idea of how the builder system can customize an appliance.
October 26th, 2008 at 9:46 pm
Amazing !
This could mean a new era for pf base appliances, pfMail ? pfProxy ?
Keep up the tremendous good work !
October 27th, 2008 at 3:11 am
great news, I always put djbdns to accompany my squid server.
perhaps I can create proxy appliance from this example.
thank you for great effort
October 27th, 2008 at 12:08 pm
pfProxy would be great aspecialy to run it on a Soekris 4511
October 27th, 2008 at 1:48 pm
Hi,
sounds like. I think it would be great to have a plugin interface (I’m new to pfsense, don’t know if something like that exists) – I think a configuration entry and the php files to configure the plugin would do the job, so everyone can create his own packages …
Just my 2 cents.
P.S.: I love djbdns, go ahead
October 27th, 2008 at 2:48 pm
H.Volpers: there’s already a package system that does what you describe, has been for years.
dirk: a similar proxy appliance is possible in the future, but not one that’ll run on a Soekris 45xx. Those boxes are far too slow to be usable for much anymore, and don’t have enough RAM to run pfSense.
The same thing pfDNS does is possible with pfSense – just install the DNS server package. But this is a better solution for single-purpose DNS/DHCP/etc. appliance.
October 27th, 2008 at 3:44 pm
First I love the idea. Just downloaded and tried the pfDNS ISO – looks very nice. Some ideas you may want to consider:
- ability to verify a zone file
- ability to import existing zone file
- graph DNS statistics (http://develooper.com/code/tinydns-rrd/ and http://main.merlin.com.ua/doc/rrd/gallery/nate-01.html)
October 27th, 2008 at 7:07 pm
Frank: Great ideas, thanks. However those scripts are written in perl.. If someone wants to write a collector script in PHP or SH please let me know.
Can you be more specific about verifying a zone file? actually query each record against the NS to verify that it is working correctly?
October 28th, 2008 at 3:13 pm
I did not look at the script in detail. If there is no one else, I may be able to find some time to do the script conversion.
What I was thinking with respect to verifying the zone file is when importing an existing BIND file. If someone has existing BIND zones, it would be very useful to simply import them to the pfDNS, and at the same time verify that there are no issues with each file.
October 28th, 2008 at 7:27 pm
I like the green theme – I would like to see a matching one for pfsense in yellow or orange perhaps!
October 28th, 2008 at 8:17 pm
@cheesyboofs: you mean basically the same theme but with the pfsense logo, maybe in amber? I might do that once it is finished but chances are that this theme will be pfdns exclusive (though you could manually install it on a pfsense too of course). There is still some work to do on this theme as I want to redo all the buttons as well but it’s slowly getting there. Check out the new blogpost with the updated shot
October 29th, 2008 at 7:46 am
QUOTE:”You mean basically the same theme but with the pfsense logo, maybe in amber?”
Exactly! And then if new appliances are created in the future they can use the same theme but in a different colour again. This would be a clear reminder which appliance you where messing with. I also think its a nice them and I haven’t got access to the original files to tweak them myself ;p
October 29th, 2008 at 1:33 pm
@cheesyboofs: getting access to the themefilesw is fairly easy. install the pfDNS appliance, enable ssh, and use a tool like winscp or filezilla to download the themefolder from /usr/local/www/themes/pfDNS, then do a hueshift for all the needed images and modify the .css files to change the colorset. reupload and you should be done. You’ll probably want to wait until the theme is finished before doing this. Mayb I’ll add the complete image sources to the artworksection in our cvs too later so users can make their own modifications to the images.
October 29th, 2008 at 2:07 pm
Great job ! It seems that this is what will need… smaller dedicated / on purpose machines rather then 1 big to do it all (proxy, mail, dns, ftp, http, etc).
Of course this does NOT mean that pfSense is less cappable of this stuff.
Best regards to the team !
October 30th, 2008 at 2:04 am
The links to the ISO and img files are broken, atm.
October 30th, 2008 at 10:20 am
Scott must be updating the images. Not sure, I emailed him to let him know
October 30th, 2008 at 8:17 pm
A new version will be available in the next day or so, on FreeBSD 7.1. Scott overwrote the old version with a newer build that didn’t work, and didn’t keep a copy of the previous. I’m putting back the iso right now.
October 31st, 2008 at 1:16 pm
It is unclear for me what is meant by your reference of primary and secondary – is the context DNS?
“XMLRPC sync support to secondary nameservers means you only need to enter the information on the primary name server making administration a breeze for your primary and secondary name servers. ”
If the context is DNS, what is unclear is why XMLRPC is important as the secondary should already pull the zones from the primary.
October 31st, 2008 at 1:29 pm
TinyDNS is not setup for zone transfers.
November 5th, 2008 at 10:10 am
Here is an alternate DNS stats graphing solution – TinyStats. There is even a FreeBSD port. It is written in C, please have a look for consideration of including it.
http://morettoni.net/tinystats.en.html
November 5th, 2008 at 10:11 am
Is the ISO still available?
It seems to have dropped off!
November 5th, 2008 at 1:13 pm
Nice find Frank! I’ll look at adding that.
November 5th, 2008 at 11:39 pm
I put the old iso back again (we inadvertently removed it while clearing up some disk space)
Updated releases will come once Scott gets some builder issues sorted out.
November 6th, 2008 at 4:40 pm
I’ve been doing some reading on TinyDNS and it appears limited (by design) with additional capabilities available as separate programs. As there are commercial vendors selling DNS/DHCP/IPAM appliances there is a viable market for your idea. What is the thinking of using TinyDNS versus BIND where the integration of other services such as DHCP would work very well. The integration of the two would also allow to perform IP address management reporting.
November 6th, 2008 at 4:44 pm
The thinking is its track record. TinyDNS has not had one exploitable hole since its inception. I for one do not feel comfortable with Buggy Internet Name Daemon.
November 6th, 2008 at 11:48 pm
This isn’t intended as a feature for feature competitor with the typical commercial DNS/DHCP/IPAM appliance.
There is a market for those serving only public DNS on the Internet where tinydns provides everything you need. It’s lightweight and fast, and has a flawless security track record. When hosting public Internet DNS, you don’t need all the functionality that BIND offers, and all that functionality has come at great expense to the security of the software. BIND has a decent record of late, but its all time security track record is atrocious.
The primary intended use of pfDNS at this time is for public Internet DNS hosting. It offers a more secure and faster solution for such deployments.
I wouldn’t mind seeing the option of a BIND package at some point for hosting internal DNS where you require functionality TinyDNS can’t provide. That’s a different target audience though.
November 7th, 2008 at 2:49 pm
The work using TinyDNS for Internet related hosting makes sense based on the security concerns.
The real market IMHO is the enterprise, more specifically the internal systems/networks. This is where the money for purchasing appliances exists and is far greater than that for publishing public records.
My point was not strictly BIND, but the integration of DHCP, IP address management and DNS that many organizations struggle with and for which they are readily willing to purchase solutions. Your solution provides an attractive platform and one that could be offered at competitive pricing. Keep in mind that commercial appliance solutions start at about $5k and go to about 70k.
November 7th, 2008 at 5:01 pm
I already requested Scott add the DHCP Server, immediately after this was first released, as I do see uses where integrating this would be helpful.
IPAM is a more difficult one because I’ve yet to find a good open source package for this purpose. There are some options I’ve tried, none of which I personally cared for. The other challenge is most will require a database server, MySQL or Postgres, which starts getting us even further away from the hardened DNS appliance for hosting Internet DNS focus. If anyone knows of good open source solutions for IPAM, leave a comment.
Focusing on the enterprise class DNS/DHCP/IPAM appliance market may truly be a completely different product from pfDNS because making a feature for feature competitive solution would require getting away from the core focus of what this appliance is all about.
November 10th, 2008 at 4:35 pm
SQLite may have enough features to provide the DB functionality.
In any event the pfDNS work you guys have done is awesome and much appreciated. I hope the work on the DNS appliance capabilities continues in which ever shape or form.
November 10th, 2008 at 4:57 pm
I think the work will continue. I plan on using this appliance at work in place of a full blown pfSense installation. I also think since we have the source to tinydns we can add some of those “enterprise” features down the line…
November 11th, 2008 at 6:43 pm
I actually wonder if these applications can run on a XEN domain. And next, if a pfWEB/pfMAIL is coming too
November 12th, 2008 at 3:11 pm
The appliances are based on FreeBSD. There are people that are successfully running FreeBSD virtualized under Xen.
November 13th, 2008 at 4:29 pm
Very interesting indeed. Thanks for the work put into this Scott and interesting posts Frank.
November 21st, 2008 at 6:43 am
@Chris Buechler: MySQL and Postgres are too heavy for an appliance. You might want to look into SQLite and Firebird.
November 21st, 2008 at 10:19 am
simoncpu: that’s exactly what I was saying. I’m not looking at writing anything at this point, if you know of an open source IPAM solution that uses SQLite or similar, let me know.
Though depending on the purpose of the appliance, MySQL or Postgres aren’t necessarily too heavy. That’s definitely the case for something with a focus like pfDNS though.
November 21st, 2008 at 12:42 pm
My secondaries run BIND and I can’t change that. Is there a way to get pfDNS to notify BIND using something like tinydns-notify ?
November 21st, 2008 at 3:13 pm
aaron: that likely isn’t an uncommon case, but not something that is supported right now. Possibly in the future.
November 26th, 2008 at 6:54 am
I’ve tried pfdns and working.. but on name server lookup there are same MX preference setting for more than 1 mx servers on each domian. All mx order have preference 0. How to arrange mx preference??
November 27th, 2008 at 4:45 am
@ Chris and Scott – this is a wonderful idea, i was one of those who used a pfsense distro into a dedicated DNS (cache only) before pfDNS came out ..good thing i ran into this project – now I may consider changing my BIND Auth DNS to pfDNS ..keep up the great work guys!
December 31st, 2008 at 3:29 pm
[...] as it is today, but we have also set things up in a way that allows us to build appliances such as pfDNS, pfPBX, and more to come. This also makes it easier to build the rebranded versions of pfSense that [...]
January 10th, 2009 at 12:44 pm
Chris
What are the chances of seeing a pfSSL-appliance?
Regards,
January 10th, 2009 at 12:48 pm
Belthazar: SSL could be a lot of different things, what exactly would that do?
January 13th, 2009 at 12:56 am
Mainly to be used for remote access via Port 443 due to VPN traffic being restricted to remote networks.
January 13th, 2009 at 1:58 am
OpenVPN can accomplish that, don’t really need an appliance for it. There could be a pfVPN at some point including all the available VPN options. But you might as well run a stock pfSense for that purpose.
January 13th, 2009 at 2:14 pm
First, thanks for pfSense! I stumbled on it looking for content filtering solution. The combination of pfSense and Squid/SquidGuard were perfect!
I heard from somewhere that freeNAS will be available under pfSense.
When?
Reading other peoples posts make me think that it’s possible to use Xen, pfSense, and freeNAS on single box. I am thinking LiveCD for Xen optimized distribution, that will kick off pfSense and freeNAS. Maybe it’s already done and I am just reinventing the wheel….
January 13th, 2009 at 8:36 pm
There are no plans to integrate FreeNAS. It was worked on some at one point, but never finished and there are no plans to finish that work. Virtualization would be a way to do it.
January 20th, 2009 at 11:13 am
PFdns looks great, but using the backup/restore function killed my test setup (I am running it in a Parallels VM environment). Backup works fine, but restore nixes the interface – I get an access denied when I try to get back in to the management page.
January 20th, 2009 at 1:59 pm
Chris: pfDNS uses the same exact code (nothing has changed) as pfSense 2.0. Please test the backup and restore function on a recent 2.0 snapshot and let us know in the 2.0 testing area of the forum if it continues to be a problem.
February 17th, 2009 at 4:36 am
The host name of mx record can only “mx.exampledomain.com”, it there any way to change it, e.g “mail.exampledoamin.com” or “anyname.exampledomain.com”
March 11th, 2009 at 1:56 pm
I seem to have a problem installing from the ISO. I have tried this booting either a laptop, or a virtual machine. Both behave the same…
Enter an option: 99
Launching pfDNS Installer…
ONe moment please…
No matching processes were found
kern.geom.debugflags: 0 -> 16
cat: /var/log/dmesg.boot: No such file or directory
cat: /var/log/dmesg.boot: No such file or directory
Launching LUA Installer…
March 12th, 2009 at 3:05 am
Steven: Please post on the forum where we can follow up.
March 23rd, 2009 at 2:05 am
@Frank
Second the bulk import. Any format would work, but BIND or TinyDNS own data file format would be best. I just manually massaged several hundred records into the config.xml and it was a huge pain in the butt.
Of course now that they’re in there I don’t need that functionality anymore myself, but I’m sure anybody else thinking of using it in a production environment would be thrilled!
March 23rd, 2009 at 2:34 am
Definitely some MX record handling bugs. As posted separately above, all MX records resolve as mx.domain.com and the priority is always 0.
March 29th, 2009 at 9:46 am
I like the idea, hope it will be integrated into the regular pfsense install
April 11th, 2009 at 2:40 pm
Sorry guys, but pfDNS.iso.gz is missing again…
April 11th, 2009 at 9:51 pm
Not sure why Scott removed it this time, but I added it back. It needs an updated build sometime soon. There are some bug fixes in the works for some of the issues noted here amongst others.
April 11th, 2009 at 9:53 pm
AlmightyOatmeal: It’s no different from the package that’s been available in normal pfSense full installs for a long time before this appliance was made available.
April 12th, 2009 at 2:19 am
@arix
Some bug fixes for MX records and other misc stuff have been merged. Reload the package and try again?
April 15th, 2009 at 11:58 pm
# gunzip -f pfDNS.iso.gz
gunzip: Invalid magic
—————————-
Does anyone have any ideas how to extract the real ISO image? the GZ image isn’t working for me. I need to be able to mount the ISO file as a CDROM to a VMWare image to boot.
I tried extracting on my windows machine and then creating a bootable image ISO from the resulting dir. It boots, it finds the boot loader, but it doesn’t find the kernel.
————————
CD Loader 1.2
Building the boot loader arguments
Looking up /BOOT/LOADER… Found
Relocating the loader and the BTX
Starting the BTX loader
BTX loader 1.00 BTX version is 1.02
Console: internal video/keyboard
BIOS CD is cd0
BIOS drive A: is disk0
BIOS drive C: is disk1
BIOS 638kB/522176kB available memory
FreeBSD/i386 bootstrap loader, Revision 1.1
(sullrich@builder7-nexus-computer.pfsense.org, Mon Oct 27 01:20:12 EDT 2008)
\
can’t load ‘kernel’
Type ‘?’ for a list of commands, ‘help’ for more detailed help.
OK _
————————
The above is the result of the bootable image of the extracted gz files.
HELP!!!
April 16th, 2009 at 12:29 am
Fred: Don’t know, works for me. There needs to be an update built, “Itwerx” fixed a number of issues with the DNS server package. Right now you’re better off running pfSense with the latest DNS server package. An update will come.
April 16th, 2009 at 10:11 am
Please try http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS.iso which is a newer version of pfDNS based on FreeBSD 8.
April 16th, 2009 at 8:30 pm
Scott: Thank you the new ISO works much much better. GratZ!!
April 20th, 2009 at 11:20 am
Got it this time! Great work, I’ll try it out…
NB:
I am unable to make a donation via paypal because my country is not in their list. Can you add Google or something for donations? I understand that they are not as restrictive as paypal.
I have been trying to join your development for quiet awhile now, since before GIT, but after getting an ISO, I find out that something somewhere is corrupt. Quite discouraging after downloading so many GB of data! And I don’t know how to specifically find out where the corruption or problem is from! I really would have loved to try out this appliance thingy, and also contribute to your efforts…
April 20th, 2009 at 7:54 pm
Odawayi: No other methods of donations right now, maybe in the future. Not sure what download problems you were having, aside from the problem pfDNS iso that was up for a day or two there aren’t any problems.
April 30th, 2009 at 9:49 am
Great work guys, I have been using and recommending pfSense for quite a while (great product). I was hunting for an IPAM Opensource solution and as stated above I see a huge market (open) for it.
Do you think it will happen (just DNS/DHCP and IP allocation/reporting)?
Keep up the good work
Bob
April 30th, 2009 at 11:56 am
Stelthn: right now probably only DNS/DHCP. I don’t anticipate IPAM support unless someone comes forth willing to fund the development.
May 18th, 2009 at 3:27 pm
I would like to suggest, a lot of small appliances like pfDNS, pfProxy, pfMail, and so on, with the mother appliance pfSense.
This will disappoint me, since I will not be able to deploy multiple services on one appliance, so what I suggest is a unified packaging system in all appliances beside the original service, this will allow me to install as much services as needed on the appliance.
My warm greetings to the development team, keep up the invaluable great work.
Regards
May 18th, 2009 at 3:37 pm
Laith: the packages available in appliances will all be available on pfSense, the appliances are just for those who want a single purpose device. So if you must do it all on one box, there isn’t anything keeping you from doing so.
July 20th, 2009 at 7:04 pm
Scott ..why did you go with FreeBSD 8? I’d really would like to try to get this on a production box but 8 being a current release.. Also is axfrdns included in this build or can it be easily integrated after the install?
September 24th, 2009 at 8:32 pm
This is exactly what I am looking for. Single purpose (well dns/dhcp) so that I let others in and manage dns/dhcp and not have them on pfsense router.
October 27th, 2009 at 6:41 pm
Hi,
I ams looking for a new solution for firewalls/VPN and DNS for a client and have be pointed to this.
I am a newbie to this and found it hard to work out how to build this pfdns and what is required.
Are there any step by step instructions for “Dummies” on how to complete this including what packages are required?
Thanks
George
November 10th, 2009 at 2:34 am
What’s the status of pfDNS? Is this still the best ISO to use:
http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS.iso
… or is this a better one:
http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS-09-24-09.iso.gz
From the looks of it, the latter is the newest one … but maybe not the best?
Thx
December 8th, 2009 at 2:31 pm
I tried the FreeBSD 8.0-based version.
I installed it in a VM, with a single interface.
But when I go to Services->DNS Servers, I get a 404.
Probably the install went bad.
Does anybody have a working VM (vmware)?
Too bad it’s still alpha. I would need something like pfDNS now.
Best Regards,
Rainer
January 26th, 2010 at 10:21 pm
In the beginning, computers were slow. One of them was needed to host each service. We had a mail server, a web server, a DNS server, a proxy server, everything ran on dedicated hardware. As time passed by, the computers became faster, thus allowing multiple appliances to run on a single computer. Man upgraded to faster systems that could run it all on less hardware. Now, under the motto of energy conservation, we step back into the realm of slower, dedicated computers. Kind of like the fashion cycles. Other than that, nice project. I might do a pfIRC server if I can find the time, I like the dedicated appliance ideology.
January 27th, 2010 at 2:51 pm
phase: doesn’t necessarily have to be a dedicated piece of hardware, though an ALIX runs at around 3-5 watts so you can run a bunch of them and use less power than a single PC or server. More commonly I would expect to see this kind of thing running on a virtual machine.
March 3rd, 2010 at 12:03 pm
Curious as to what is the best way to get data into a new PFDns system. I see that pfdns can sync to other dns servers, but how about it sucking the data from an existing server and then turn pfdns into the primary for the zone.
April 12th, 2010 at 5:58 am
Any updates on this nice project from Pfsense?
April 19th, 2010 at 10:12 pm
I agree with John, i would love to use this package/appliance but theres no easy way to import/script previous configs over. Hopefully this functionality will be added soon.