Appliance building with pfSense – Introducing pfDNS!

October 26th, 2008 by Scott Ullrich

While reworking the builder system for a commercial client that is
basing their appliance on pfSense we needed a builder target that
could be public and show how to build an appliance from scratch.

Therefore, pfDNS is born!  http://snipurl.com/4q1xe

pfDNS

pfDNS

pfDNS is a customized pfSense installation featuring the TinyDNS server package.   Host DNS using this appliance.   XMLRPC sync support to secondary nameservers means you only need to enter the information on the primary name server making administration a breeze for your primary and secondary name servers.  Depending on how popular this gets we might add a website and start making regular releases :)

To see how pfDNS was created, check out
tools/builder_scripts/builder_profiles/pfDNS.

Building this appliance could not be easier!  Simply copy
tools/builder_scripts/builder_profiles/pfDNS/pfsense_local.sh to
/home/pfsense/tools/builder_scripts/ and run build_iso.sh and presto!

I hope this example appliance will help others on their quest when
building a custom appliance based on the pfSense framework.

Edit: updated version available based on FreeBSD 8 and a newer DNS package with a number of bug fixes. 

What do you all think?  Leave comments in the blog.

Also, Holger is working on some artwork that I will get in there soon..  I’ll
post an updated ISO at that point (just look for a newer mtime).

EDIT:artwork added, it is a work in progress but gives a better idea of how the builder system can customize an appliance.

78 Responses to “Appliance building with pfSense – Introducing pfDNS!”

  1. rud Says:

    Amazing !
    This could mean a new era for pf base appliances, pfMail ? pfProxy ?

    Keep up the tremendous good work !

  2. alam Says:

    great news, I always put djbdns to accompany my squid server.

    perhaps I can create proxy appliance from this example.

    thank you for great effort

  3. dirk Says:

    pfProxy would be great aspecialy to run it on a Soekris 4511

  4. H. Volpers Says:

    Hi,

    sounds like. I think it would be great to have a plugin interface (I’m new to pfsense, don’t know if something like that exists) – I think a configuration entry and the php files to configure the plugin would do the job, so everyone can create his own packages …

    Just my 2 cents.

    P.S.: I love djbdns, go ahead ;)

  5. Chris Buechler Says:

    H.Volpers: there’s already a package system that does what you describe, has been for years.

    dirk: a similar proxy appliance is possible in the future, but not one that’ll run on a Soekris 45xx. Those boxes are far too slow to be usable for much anymore, and don’t have enough RAM to run pfSense.

    The same thing pfDNS does is possible with pfSense – just install the DNS server package. But this is a better solution for single-purpose DNS/DHCP/etc. appliance.

  6. Frank Says:

    First I love the idea. Just downloaded and tried the pfDNS ISO – looks very nice. Some ideas you may want to consider:

    - ability to verify a zone file
    - ability to import existing zone file
    - graph DNS statistics (http://develooper.com/code/tinydns-rrd/ and http://main.merlin.com.ua/doc/rrd/gallery/nate-01.html)

  7. sullrich Says:

    Frank: Great ideas, thanks. However those scripts are written in perl.. If someone wants to write a collector script in PHP or SH please let me know.

    Can you be more specific about verifying a zone file? actually query each record against the NS to verify that it is working correctly?

  8. Frank Says:

    I did not look at the script in detail. If there is no one else, I may be able to find some time to do the script conversion.

    What I was thinking with respect to verifying the zone file is when importing an existing BIND file. If someone has existing BIND zones, it would be very useful to simply import them to the pfDNS, and at the same time verify that there are no issues with each file.

  9. cheesyboofs Says:

    I like the green theme – I would like to see a matching one for pfsense in yellow or orange perhaps!

  10. hoba Says:

    @cheesyboofs: you mean basically the same theme but with the pfsense logo, maybe in amber? I might do that once it is finished but chances are that this theme will be pfdns exclusive (though you could manually install it on a pfsense too of course). There is still some work to do on this theme as I want to redo all the buttons as well but it’s slowly getting there. Check out the new blogpost with the updated shot :-)

  11. cheesyboofs Says:

    QUOTE:”You mean basically the same theme but with the pfsense logo, maybe in amber?”

    Exactly! And then if new appliances are created in the future they can use the same theme but in a different colour again. This would be a clear reminder which appliance you where messing with. I also think its a nice them and I haven’t got access to the original files to tweak them myself ;p

  12. hoba Says:

    @cheesyboofs: getting access to the themefilesw is fairly easy. install the pfDNS appliance, enable ssh, and use a tool like winscp or filezilla to download the themefolder from /usr/local/www/themes/pfDNS, then do a hueshift for all the needed images and modify the .css files to change the colorset. reupload and you should be done. You’ll probably want to wait until the theme is finished before doing this. Mayb I’ll add the complete image sources to the artworksection in our cvs too later so users can make their own modifications to the images.

  13. Ctek Says:

    Great job ! It seems that this is what will need… smaller dedicated / on purpose machines rather then 1 big to do it all (proxy, mail, dns, ftp, http, etc).

    Of course this does NOT mean that pfSense is less cappable of this stuff.

    Best regards to the team !

  14. Endurion Says:

    The links to the ISO and img files are broken, atm.

  15. Chris Buechler Says:

    Scott must be updating the images. Not sure, I emailed him to let him know

  16. Chris Buechler Says:

    A new version will be available in the next day or so, on FreeBSD 7.1. Scott overwrote the old version with a newer build that didn’t work, and didn’t keep a copy of the previous. I’m putting back the iso right now.

  17. Frank Says:

    It is unclear for me what is meant by your reference of primary and secondary – is the context DNS?

    “XMLRPC sync support to secondary nameservers means you only need to enter the information on the primary name server making administration a breeze for your primary and secondary name servers. ”

    If the context is DNS, what is unclear is why XMLRPC is important as the secondary should already pull the zones from the primary.

  18. Scott Ullrich Says:

    TinyDNS is not setup for zone transfers.

  19. Frank Says:

    Here is an alternate DNS stats graphing solution – TinyStats. There is even a FreeBSD port. It is written in C, please have a look for consideration of including it.

    http://morettoni.net/tinystats.en.html

  20. Gordon O. Says:

    Is the ISO still available?

    It seems to have dropped off!

  21. Scott Ullrich Says:

    Nice find Frank! I’ll look at adding that.

  22. Chris Buechler Says:

    I put the old iso back again (we inadvertently removed it while clearing up some disk space)

    Updated releases will come once Scott gets some builder issues sorted out.

  23. Frank Says:

    I’ve been doing some reading on TinyDNS and it appears limited (by design) with additional capabilities available as separate programs. As there are commercial vendors selling DNS/DHCP/IPAM appliances there is a viable market for your idea. What is the thinking of using TinyDNS versus BIND where the integration of other services such as DHCP would work very well. The integration of the two would also allow to perform IP address management reporting.

  24. Scott Ullrich Says:

    The thinking is its track record. TinyDNS has not had one exploitable hole since its inception. I for one do not feel comfortable with Buggy Internet Name Daemon.

  25. Chris Buechler Says:

    This isn’t intended as a feature for feature competitor with the typical commercial DNS/DHCP/IPAM appliance.

    There is a market for those serving only public DNS on the Internet where tinydns provides everything you need. It’s lightweight and fast, and has a flawless security track record. When hosting public Internet DNS, you don’t need all the functionality that BIND offers, and all that functionality has come at great expense to the security of the software. BIND has a decent record of late, but its all time security track record is atrocious.

    The primary intended use of pfDNS at this time is for public Internet DNS hosting. It offers a more secure and faster solution for such deployments.

    I wouldn’t mind seeing the option of a BIND package at some point for hosting internal DNS where you require functionality TinyDNS can’t provide. That’s a different target audience though.

  26. Frank Says:

    The work using TinyDNS for Internet related hosting makes sense based on the security concerns.

    The real market IMHO is the enterprise, more specifically the internal systems/networks. This is where the money for purchasing appliances exists and is far greater than that for publishing public records.

    My point was not strictly BIND, but the integration of DHCP, IP address management and DNS that many organizations struggle with and for which they are readily willing to purchase solutions. Your solution provides an attractive platform and one that could be offered at competitive pricing. Keep in mind that commercial appliance solutions start at about $5k and go to about 70k.

  27. Chris Buechler Says:

    I already requested Scott add the DHCP Server, immediately after this was first released, as I do see uses where integrating this would be helpful.

    IPAM is a more difficult one because I’ve yet to find a good open source package for this purpose. There are some options I’ve tried, none of which I personally cared for. The other challenge is most will require a database server, MySQL or Postgres, which starts getting us even further away from the hardened DNS appliance for hosting Internet DNS focus. If anyone knows of good open source solutions for IPAM, leave a comment.

    Focusing on the enterprise class DNS/DHCP/IPAM appliance market may truly be a completely different product from pfDNS because making a feature for feature competitive solution would require getting away from the core focus of what this appliance is all about.

  28. Frank Says:

    SQLite may have enough features to provide the DB functionality.

    In any event the pfDNS work you guys have done is awesome and much appreciated. I hope the work on the DNS appliance capabilities continues in which ever shape or form.

  29. Scott Ullrich Says:

    I think the work will continue. I plan on using this appliance at work in place of a full blown pfSense installation. I also think since we have the source to tinydns we can add some of those “enterprise” features down the line…

  30. Dimitri Says:

    I actually wonder if these applications can run on a XEN domain. And next, if a pfWEB/pfMAIL is coming too :)

  31. Frank Says:

    The appliances are based on FreeBSD. There are people that are successfully running FreeBSD virtualized under Xen.

  32. PredatoryFern Says:

    Very interesting indeed. Thanks for the work put into this Scott and interesting posts Frank.

  33. simoncpu Says:

    @Chris Buechler: MySQL and Postgres are too heavy for an appliance. You might want to look into SQLite and Firebird.

  34. Chris Buechler Says:

    simoncpu: that’s exactly what I was saying. I’m not looking at writing anything at this point, if you know of an open source IPAM solution that uses SQLite or similar, let me know.

    Though depending on the purpose of the appliance, MySQL or Postgres aren’t necessarily too heavy. That’s definitely the case for something with a focus like pfDNS though.

  35. aaron Says:

    My secondaries run BIND and I can’t change that. Is there a way to get pfDNS to notify BIND using something like tinydns-notify ?

  36. Chris Buechler Says:

    aaron: that likely isn’t an uncommon case, but not something that is supported right now. Possibly in the future.

  37. Settiwol Says:

    I’ve tried pfdns and working.. but on name server lookup there are same MX preference setting for more than 1 mx servers on each domian. All mx order have preference 0. How to arrange mx preference??

  38. djmizt Says:

    @ Chris and Scott – this is a wonderful idea, i was one of those who used a pfsense distro into a dedicated DNS (cache only) before pfDNS came out ..good thing i ran into this project – now I may consider changing my BIND Auth DNS to pfDNS ..keep up the great work guys!

  39. pfSense Digest » Blog Archive » pfSense in 2009 Says:

    [...] as it is today, but we have also set things up in a way that allows us to build appliances such as pfDNS, pfPBX, and more to come. This also makes it easier to build the rebranded versions of pfSense that [...]

  40. Belthazar Says:

    Chris

    What are the chances of seeing a pfSSL-appliance?

    Regards,

  41. Chris Buechler Says:

    Belthazar: SSL could be a lot of different things, what exactly would that do?

  42. Belthazar Says:

    Mainly to be used for remote access via Port 443 due to VPN traffic being restricted to remote networks.

  43. Chris Buechler Says:

    OpenVPN can accomplish that, don’t really need an appliance for it. There could be a pfVPN at some point including all the available VPN options. But you might as well run a stock pfSense for that purpose.

  44. wheelreinventor Says:

    First, thanks for pfSense! I stumbled on it looking for content filtering solution. The combination of pfSense and Squid/SquidGuard were perfect!
    I heard from somewhere that freeNAS will be available under pfSense.
    When?
    Reading other peoples posts make me think that it’s possible to use Xen, pfSense, and freeNAS on single box. I am thinking LiveCD for Xen optimized distribution, that will kick off pfSense and freeNAS. Maybe it’s already done and I am just reinventing the wheel….

  45. Chris Buechler Says:

    There are no plans to integrate FreeNAS. It was worked on some at one point, but never finished and there are no plans to finish that work. Virtualization would be a way to do it.

  46. Chris Says:

    PFdns looks great, but using the backup/restore function killed my test setup (I am running it in a Parallels VM environment). Backup works fine, but restore nixes the interface – I get an access denied when I try to get back in to the management page.

  47. Scott Ullrich Says:

    Chris: pfDNS uses the same exact code (nothing has changed) as pfSense 2.0. Please test the backup and restore function on a recent 2.0 snapshot and let us know in the 2.0 testing area of the forum if it continues to be a problem.

  48. arix Says:

    The host name of mx record can only “mx.exampledomain.com”, it there any way to change it, e.g “mail.exampledoamin.com” or “anyname.exampledomain.com”

  49. Steven Finnegan Says:

    I seem to have a problem installing from the ISO. I have tried this booting either a laptop, or a virtual machine. Both behave the same…

    Enter an option: 99

    Launching pfDNS Installer…

    ONe moment please…

    No matching processes were found
    kern.geom.debugflags: 0 -> 16
    cat: /var/log/dmesg.boot: No such file or directory
    cat: /var/log/dmesg.boot: No such file or directory
    Launching LUA Installer…

  50. Chris Buechler Says:

    Steven: Please post on the forum where we can follow up.

  51. Itwerx Says:

    @Frank
    Second the bulk import. Any format would work, but BIND or TinyDNS own data file format would be best. I just manually massaged several hundred records into the config.xml and it was a huge pain in the butt.
    Of course now that they’re in there I don’t need that functionality anymore myself, but I’m sure anybody else thinking of using it in a production environment would be thrilled! :)

  52. Itwerx Says:

    Definitely some MX record handling bugs. As posted separately above, all MX records resolve as mx.domain.com and the priority is always 0.

  53. AlmightyOatmeal Says:

    I like the idea, hope it will be integrated into the regular pfsense install

  54. Odawayi Says:

    Sorry guys, but pfDNS.iso.gz is missing again…

  55. Chris Buechler Says:

    Not sure why Scott removed it this time, but I added it back. It needs an updated build sometime soon. There are some bug fixes in the works for some of the issues noted here amongst others.

  56. Chris Buechler Says:

    AlmightyOatmeal: It’s no different from the package that’s been available in normal pfSense full installs for a long time before this appliance was made available.

  57. Itwerx Says:

    @arix

    Some bug fixes for MX records and other misc stuff have been merged. Reload the package and try again?

  58. Fred Devoir Says:

    # gunzip -f pfDNS.iso.gz
    gunzip: Invalid magic
    —————————-
    Does anyone have any ideas how to extract the real ISO image? the GZ image isn’t working for me. I need to be able to mount the ISO file as a CDROM to a VMWare image to boot.

    I tried extracting on my windows machine and then creating a bootable image ISO from the resulting dir. It boots, it finds the boot loader, but it doesn’t find the kernel.
    ————————
    CD Loader 1.2

    Building the boot loader arguments
    Looking up /BOOT/LOADER… Found
    Relocating the loader and the BTX
    Starting the BTX loader

    BTX loader 1.00 BTX version is 1.02
    Console: internal video/keyboard
    BIOS CD is cd0
    BIOS drive A: is disk0
    BIOS drive C: is disk1
    BIOS 638kB/522176kB available memory

    FreeBSD/i386 bootstrap loader, Revision 1.1
    (sullrich@builder7-nexus-computer.pfsense.org, Mon Oct 27 01:20:12 EDT 2008)
    \
    can’t load ‘kernel’

    Type ‘?’ for a list of commands, ‘help’ for more detailed help.
    OK _
    ————————
    The above is the result of the bootable image of the extracted gz files. :(

    HELP!!!

  59. Chris Buechler Says:

    Fred: Don’t know, works for me. There needs to be an update built, “Itwerx” fixed a number of issues with the DNS server package. Right now you’re better off running pfSense with the latest DNS server package. An update will come.

  60. Scott Ullrich Says:

    Please try http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS.iso which is a newer version of pfDNS based on FreeBSD 8.

  61. Fred Devoir Says:

    Scott: Thank you the new ISO works much much better. GratZ!!

  62. Odawayi Says:

    Got it this time! Great work, I’ll try it out…
    NB:
    I am unable to make a donation via paypal because my country is not in their list. Can you add Google or something for donations? I understand that they are not as restrictive as paypal.
    I have been trying to join your development for quiet awhile now, since before GIT, but after getting an ISO, I find out that something somewhere is corrupt. Quite discouraging after downloading so many GB of data! And I don’t know how to specifically find out where the corruption or problem is from! I really would have loved to try out this appliance thingy, and also contribute to your efforts…

  63. Chris Buechler Says:

    Odawayi: No other methods of donations right now, maybe in the future. Not sure what download problems you were having, aside from the problem pfDNS iso that was up for a day or two there aren’t any problems.

  64. Stealthn Says:

    Great work guys, I have been using and recommending pfSense for quite a while (great product). I was hunting for an IPAM Opensource solution and as stated above I see a huge market (open) for it.

    Do you think it will happen (just DNS/DHCP and IP allocation/reporting)?

    Keep up the good work

    Bob

  65. Chris Buechler Says:

    Stelthn: right now probably only DNS/DHCP. I don’t anticipate IPAM support unless someone comes forth willing to fund the development.

  66. Laith Z. Says:

    I would like to suggest, a lot of small appliances like pfDNS, pfProxy, pfMail, and so on, with the mother appliance pfSense.

    This will disappoint me, since I will not be able to deploy multiple services on one appliance, so what I suggest is a unified packaging system in all appliances beside the original service, this will allow me to install as much services as needed on the appliance.

    My warm greetings to the development team, keep up the invaluable great work.

    Regards

  67. Chris Buechler Says:

    Laith: the packages available in appliances will all be available on pfSense, the appliances are just for those who want a single purpose device. So if you must do it all on one box, there isn’t anything keeping you from doing so.

  68. marvin Says:

    Scott ..why did you go with FreeBSD 8? I’d really would like to try to get this on a production box but 8 being a current release.. Also is axfrdns included in this build or can it be easily integrated after the install?

  69. John Says:

    This is exactly what I am looking for. Single purpose (well dns/dhcp) so that I let others in and manage dns/dhcp and not have them on pfsense router.

  70. George Says:

    Hi,

    I ams looking for a new solution for firewalls/VPN and DNS for a client and have be pointed to this.

    I am a newbie to this and found it hard to work out how to build this pfdns and what is required.

    Are there any step by step instructions for “Dummies” on how to complete this including what packages are required?

    Thanks
    George

  71. Martin Says:

    What’s the status of pfDNS? Is this still the best ISO to use:

    http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS.iso

    … or is this a better one:

    http://cvs.pfsense.com/~sullrich/pfDNS/pfDNS-09-24-09.iso.gz

    From the looks of it, the latter is the newest one … but maybe not the best?

    Thx

  72. Rainer Says:

    I tried the FreeBSD 8.0-based version.
    I installed it in a VM, with a single interface.
    But when I go to Services->DNS Servers, I get a 404.
    Probably the install went bad.
    Does anybody have a working VM (vmware)?

    Too bad it’s still alpha. I would need something like pfDNS now.

    Best Regards,
    Rainer

  73. phase Says:

    In the beginning, computers were slow. One of them was needed to host each service. We had a mail server, a web server, a DNS server, a proxy server, everything ran on dedicated hardware. As time passed by, the computers became faster, thus allowing multiple appliances to run on a single computer. Man upgraded to faster systems that could run it all on less hardware. Now, under the motto of energy conservation, we step back into the realm of slower, dedicated computers. Kind of like the fashion cycles. Other than that, nice project. I might do a pfIRC server if I can find the time, I like the dedicated appliance ideology. ;)

  74. Chris Buechler Says:

    phase: doesn’t necessarily have to be a dedicated piece of hardware, though an ALIX runs at around 3-5 watts so you can run a bunch of them and use less power than a single PC or server. More commonly I would expect to see this kind of thing running on a virtual machine.

  75. John Carter Says:

    Curious as to what is the best way to get data into a new PFDns system. I see that pfdns can sync to other dns servers, but how about it sucking the data from an existing server and then turn pfdns into the primary for the zone.

  76. edong Says:

    Any updates on this nice project from Pfsense?

  77. Eric Says:

    I agree with John, i would love to use this package/appliance but theres no easy way to import/script previous configs over. Hopefully this functionality will be added soon.

  78. Rick L Says:

    A stand alone DNS is what I would like to use locally. I see this is possibly fallen prey to other priorities. Too bad, an updated version would be very helpful.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply