Specify DHCP configuration details
/etc/dhcpd.conf
The dhcpd.conf file is a free-form ASCII text file containing a list of statements that dhcpd uses for DHCP configuration.
To create a dhcpd.conf file, you enter a scope keyword first, followed by a pair of braces ({}) enclosing the parameter and declaration statements that apply within that scope. If there is no preceding scope keyword, the statement applies globally.
The following keywords define the scope for following statements:
The group keyword is unusual in that it may be located anywhere under global. Thus groups may contain shared-networks and subnets, as well as hosts. |
The order of precedence for parameters is in reverse hierarchical order: that is from the specific to the general. If a parameter for a machine is specified in the host section and a different parameter is specified for the same machine in the subnet section, the value in the host section applies. We'll explain the scope keywords in this order of precedence.
The host keyword signifies that any following statements are to be applied to a unique host machine on the network.
There must be at least one host statement for every BOOTP client that is to be served. host statements may also be specified for DHCP clients, although this is not required unless booting is enabled for known hosts only.
If it is desirable to be able to boot a DHCP or BOOTP client on more than one subnet with fixed addresses, more than one address may be specified in the fixed-address parameter, or more than one host statement may be specified.
If client-specific boot parameters must change based on the network to which the client is attached, then multiple host statements should be used.
If you want to allocate a dynamic address only when it is not possible to boot with a fixed address, a host statement must be specified without a fixed-address clause.
The host declarations are matched to actual DHCP or BOOTP clients by matching the dhcp-client-identifier option specified in the host declaration to the one supplied by the client, or, if the host declaration or the client does not provide a dhcp-client-identifier option, by matching the hardware parameter in the host declaration to the network hardware address supplied by the client. BOOTP clients do not normally provide a dhcp-client-identifier, so the hardware address must be used for all clients that may boot using the BOOTP protocol.
You declare a host statement like this:
host name{ [ parameters ] [ declarations ] }
where name is a unique host name (for an example and restrictions on use, see the entry for use-host-decl-names flag; in the section on Parameter statements, below)
Examples of parameters that might be assigned a value under a typical host scope are:
The group scope may include individual hosts, shared networks, subnets, or even other groups.
If some machines on a subnet share common parameters but others don't, you might want to create a group scope to cover the similar machines without having to treat them as a separate subnet. You do this by using the group keyword. All of the options included within the group scope declaration apply to that group. As with subnets, this scope can also specify individual hosts with the group.
For example, you may want to provide a large set of addresses for DHCP clients that are registered to your DHCP server, while providing a smaller set of addresses, possibly with shorter lease times, for unknown clients. Or, if you have a firewall, you may be able to arrange for addresses from one group to be allowed access to the Internet, while addresses in another group are not; thus encouraging users to register their DHCP clients.
Within either the group or subnet declarations, you can specify parameters for individual hosts, just as when the hosts are part of a shared network. |
You can also vary the facilities afforded to members of the same group by partitioning them within the group, like this:
group{ default-lease-time 100000; option routers 192.168.42.1; host fantasia { hardware ethernet 08:00:07:26:c0:a5; } host passacaglia { hardware ethernet 0:0:c0:5d:bd:95; } host confusia { hardware ethernet 02:03:04:05:06:07; default-lease-time 200000; } }
All three machines in this group share the same router but, while leases for fantasia and passacaglia last for 100,000 seconds, confusia enjoys a 200,000-second lease.
For every subnet that will be served, and for every subnet to which the DHCP server is connected, there must be subnet declarations that tell dhcpd how to recognize that an address is on that subnet. A subnet declaration is required for each subnet, even if no addresses will be dynamically allocated on that subnet.
If clients on a subnet are to be assigned addresses dynamically, a range declaration must appear within the subnet declaration. The range statement contains the pool of IP addresses that can be allocated on this subnet. For clients with statically assigned addresses, or for installations where only known clients will be served, each such client must have a host declaration.
If parameters are to be applied to a group of declarations which are not related strictly on a per-subnet basis, the group declaration can be used.
Any subnets in a shared network should be declared within a shared-network statement.
Here's what a subnet statement looks like:
subnet subnet-number netmask netmask-number{ [ parameters ] [ declarations ] }
The subnet-number variable should be an IP address or domain name that resolves to the subnet number of the subnet being described. The netmask-number variable should be an IP address or domain name which is applied to the subnet-number to determine the subnet address. The subnet-number and netmask-number are used together to determine whether any given IP address is on the specified subnet.
Although a netmask must be given with every subnet statement, if a site has different subnet masks, you should include a subnet-mask option statement in the declaration for each subnet to set the desired subnet mask (see Standard DHCP option statements, below). Any such subnet-mask option statement overrides the netmask declared in the top line of the subnet statement.
Some installations have physical networks on which more than one IP subnet operates. For example, if there is a site-wide requirement that 8-bit subnet masks be used, but a department with a single physical Ethernet network expands to the point where it has more than 254 nodes, it may be necessary to run two 8-bit subnets on the same Ethernet until such time as a new physical network can be added. In this case, the subnet declarations for these two networks must be enclosed in a shared-network declaration.
Some sites may have departments that have clients on more than one subnet, but you might want to offer clients in the same department a uniform set of parameters, regardless of the subnet they are on. For clients which will be declared explicitly with host declarations, these declarations can be enclosed in a group declaration along with the parameters which are common to that department.
Shared networks are separate networks that use the same physical network segment. Uses include things like restricting certain device types to specific segments or separating machines before moving them to a different network segment.
A shared-network can contain any combination of subnets, groups, and hosts.
You must declare all the subnets in a shared network within a shared-network statement. Clients on these subnets are booted using the parameters specified in the shared-network statement, unless parameters provided at the subnet or host level override them. If any subnet in a shared network has addresses available for dynamic allocation, those addresses are collected into a common pool for that shared network and assigned to clients as needed. There is no way to distinguish on which subnet of a shared network a client should boot.
The syntax for a shared-network statement is:
shared-network name { [ parameters ] [ declarations ] }
You can use a valid domain name for name, but as this variable is used only when printing debugging messages, you might want to use descriptive text (enclosed in quotes) instead.
The global keyword may be used on its own or inside lower scope declarations, like subnet or group. It denotes that any following statements are to be applied globally, either within another scope or on the whole network. Normally, the global keyword is omitted because it is the default.
Statements cover:
The range statement specifies the IP addresses that may be allocated to clients within a defined scope.
For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. The dynamic-bootp flag may be specified if addresses in the specified range may be dynamically assigned to BOOTP clients as well as DHCP clients. Here's the syntax for the range statement:
range [ dynamic-bootp ] low-address [ high-address];
When specifying a single address, the high-address variable may be omitted.
Allow and deny statements can be used to control the response of the DHCP server to various sorts of requests. The allow and deny keywords have different meanings depending on context. In a pool context, these keywords can be used to set up access lists for address allocation pools. In other contexts, the keywords simply control general server behavior with respect to clients, based on scope.
The following declarations work in any scope, although you shouldn't use them in group declarations.
If you want to send rfc1048 options to such a client, you can set the always-reply-rfc1048 option in that client's host declaration, and the DHCP server will respond with an RFC-1048-style vendor options field. This flag can be set in any scope, and will affect all clients covered by that scope.
When setting up authoritative DHCP servers for your networks, always write:
authoritative;
at the top of your configuration file to indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If you don't do this, clients who change subnets will be unable to get a correct IP address until their old lease has expired, which could take quite a long time.
If you want to set up a DHCP server so that it is aware of some networks for which it is authoritative and some networks for which it is not, you could declare authority on a per-network-segment basis.
Note that the most specific scope for which the concept of authority makes any sense is the physical network segment: either a shared-network statement or a subnet statement that is not contained within a shared-network statement. It is not meaningful to specify that the server is authoritative for some subnets within a shared network, but not authoritative for others, nor is it meaningful to specify that the server is authoritative for some host declarations and not others. |
The date variable is the date on which all assigned BOOTP leases will end . The date is specified in the form:
W YYYY/MM/DD HH:MM:SS
Where W is the day of the week expressed as a number from zero (Sunday) to six (Saturday). YYYY is the year, including the century. MM is the month expressed as a number from 1 to 12. DD is the day of the month, counting from 1. HH is the hour, from zero to 23. MM is the minute and SS is the second. The time is always in Universal Coordinated Time (UTC), not local time.
This flag is always true, it can't be turned off.
The use of the server-identifier statement is not recommended: the only reason to use it is to force a value other than the default value to be sent on occasions where the default value would be incorrect. The default value is the first IP address associated with the physical network interface on which the request arrived.
The usual case where the server-identifier statement needs to be sent is when a physical interface has more than one IP address, and the one being sent by default isn't appropriate for some or all clients served by that interface. Another common case is when an alias is defined for the purpose of having a consistent IP address for the DHCP server, and it is desired that the clients use this IP address when contacting the server.
Supplying a value for the dhcp-server-identifier option is equivalent to using the server-identifier statement.
group { use-host-decl-names on; host joe { hardware ethernet 08:00:2b:4c:29:32; fixed-address joe.fugue.com; } }
is equivalent to:
host joe { hardware ethernet 08:00:2b:4c:29:32; fixed-address joe.fugue.com; option host-name "joe"; }
An option host-name statement within a host declaration will override the use of the name in the host declaration.
Most DHCP clients completely ignore the host-name option sent by the DHCP server, and there is no way to configure them not to do this. |
DHCP options contain information about a network and the various services it makes available. You direct the DHCP server to tell specified clients about some or all of this information by declaring relevant DHCP options in your dhcpd.conf file. DHCP option statements start with the option keyword, followed by an option name, followed by option data, like this:
option option-name option-data
Here are the syntax rules:
See the section on Standard DHCP options for a list of allowed option names and corresponding data types. |
The variables in DHCP option statements conform to the data types shown in the following table:
This data type: | Specifies: |
---|---|
ip-address | numerical IP address or a domain name resolving to a single IP address |
int32 | signed 32-bit integer |
uint32 | unsigned 32-bit integer |
int16 | signed 16-bit integer |
uint16 | unsigned 16-bit integer |
int8 | signed 8-bit integer |
uint8 or octet | unsigned 8-bit integer |
string | NVT ASCII string enclosed in double quotes |
flag | boolean value including true/false or on/off |
data-string | an NVT ASCII string enclosed in double quotes, or a series of hexadecimal octets separated by colons |
The standard DHCP option statements are as follows (for a sub-list of the DHCP options that are applied by the QNX DHCP client, see dhcp.client):
A uint8 value of: | Specifies: |
---|---|
1 | B-node: Broadcast - no WINS |
2 | P-node: Peer - WINS only |
4 | M-node: Mixed - broadcast, then WINS |
8 | H-node: Hybrid - WINS, then broadcast |
When you are troubleshooting DHCP, always start at the bottom and work your way up.
The contents of the dhcpd.leases file is fairly straightforward. Each lease declaration is identified with the keyword lease followed by the IP address and a block of configuration information within braces .
You might have something like this:
lease 192.168.42.1 { starts 0 2000/01/30 08:02:54; ends 5 2000/02/04 08:02:54; hardware ethernet 00:50:04:53:D5:57; uid 01:00:50:04:53:D5:57; client-hostname "PC0097"; }
The starts and ends statements tell you the period when the lease is valid. Each entry is of the form:
weekday yyyy/mm/dd hh:mm:ss;
The weekday is the numerical value for the day of the week starting with 0 on Sunday, as in this case. The date and time are UCT, not local time. The hardware entry is in the same format as in the dhcpd.conf file and lists the hardware address of the card. The uid entry is a unique identifier for the client, using either an ASCII-string client identifier supplied by the client or the hardware address preceded by hardware type (in this example 01).
This section gives you some background information that might help explain a few related issues as you create your dhcpd.conf file.
Address allocation is actually only done when a client is in the INIT state and has sent a DHCPDISCOVER message. If the client thinks it has a valid lease and sends a DHCPREQUEST to initiate or renew that lease, the server has only three choices: it can ignore the DHCPREQUEST, send a DHCPNAK to tell the client it should stop using the address, or send a DHCPACK, telling the client to go ahead and use the address for a while.
If the server finds the address the client is requesting, and that address is available to the client, the server will send a DHCPACK. If the address is no longer available, or the client isn't permitted to have it, the server will send a DHCPNAK. If the server knows nothing about the address, it will remain silent, unless the address is incorrect for the network segment to which the client has been attached and the server is authoritative for that network segment, in which case the server will send a DHCPNAK even though it doesn't know about the address.
There may be a host declaration matching the client's identification, and that host declaration contains a fixed-address declaration that is valid for the network segment to which the client is connected. In this case, the DHCP server will never do dynamic address allocation. In this case, the client is required to take the address specified in the host declaration. If the client is requesting some other address, the server will respond with a DHCPNAK.
When the DHCP server allocates a new address for a client (remember, this only happens if the client has sent a DHCPDISCOVER), it first looks to see if the client already has a valid lease on an IP address, or if there is an old IP address the client had before that hasn't yet been reassigned. In that case, the server will take that address and check it to see if the client is still permitted to use it. If the client is no longer permitted to use it, the lease is freed if the server thought it was still in use: the fact that the client has sent a DHCPDISCOVER proves to the server that the client is no longer using the lease.
If no existing lease is found, or if the client is forbidden to receive the existing lease, then the server will look in the list of address pools for the network segment to which the client is attached for a lease that is not in use and that the client is permitted to have. It looks through each pool declaration in sequence (all range declarations that appear outside of pool declarations are grouped into a single pool with no permit list). If the permit list for the pool allows the client to be allocated an address from that pool, the pool is examined to see if there is an address available. If so, then the client is tentatively assigned that address. Otherwise, the next pool is tested. If no addresses are found that can be assigned to the client, no response is sent to the client.
If an address is found that the client is permitted to have, and that has never been assigned to any client before, the address is immediately allocated to the client. If the address is available for allocation but has been previously assigned to a different client, the server will keep looking in hopes of finding an address that has never before been assigned to a client.
If a lease has been specified in a range statement and has not been listed as being in use by the server or its failover peer, dhcpd checks IP addresses to see if they are in use before allocating them to clients. It does this by sending an ICMP Echo request message to the IP address being allocated.
If no ICMP Echo reply is received within a second, the address is assumed to be free. If a response is received, dhcpd assumes that there is a configuration error or the IP address is in use by a network host that is not a DHCP client. In this case, the server marks the address as abandoned, and will not assign it to clients.
If only abandoned IP addresses are available when a DHCP client makes its request, dhcpd tries to reclaim one of the abandoned IP addresses by carrying out a new ICMP Echo request check. If there is no answer to the ICMP Echo request, the address is assigned to the client and the search ends; if not, dhcpd tries the next abandoned address and so on until it finds a free one.
If the same conditions apply when the next request comes in, dhcpd starts the same search starting at a different IP address to avoid cycling through the same sequence as before.
At first glance, there may not seem to be much to talk about in terms of security and DHCP. However, considering the importance of DHCP, a few precautions are in order.
The first consideration is the machine itself. Although an outage of a couple of hours might be something you can deal with, any long outage means that there may be a number of machines without a valid configuration or even a valid IP address. Therefore, you need to look at what other services the machine with your DHCP server provides. Since there is very little computer power required to support DHCP, you can easily get away with smaller machines. This might be preferable to having dhcpd running alongside some other machines.
Another issue to consider is a denial-of-service attack. If your DHCP server were accessible from the Internet, it would be possible for someone to gobble up all of your IP addresses, leaving nothing for your own machines. So make sure that you stop DHCP traffic getting through your firewall by blocking port 67 (the DHCP listen port) and port 68 (the DHCP transmit port) on the machine running your firewall.
An easy way to create you own dhcpd.conf file is to backup the file in /etc/dhcpd.conf file and then change it to suit your own needs. Here is the file we provide in /etc/dhcpd.conf:
# dhcpd.conf # # Sample configuration file for ISC dhcpd # # option definitions common to all supported networks... option domain-name "fugue.com"; option domain-name-servers toccata.fugue.com; option subnet-mask 255.255.255.224; default-lease-time 600; max-lease-time 7200; subnet 204.254.239.0 netmask 255.255.255.224 { range 204.254.239.10 204.254.239.20; option broadcast-address 204.254.239.31; option routers prelude.fugue.com; } # The other subnet that shares this physical network subnet 204.254.239.32 netmask 255.255.255.224 { range dynamic-bootp 204.254.239.10 204.254.239.20; option broadcast-address 204.254.239.31; option routers snarg.fugue.com; } subnet 192.5.5.0 netmask 255.255.255.224 { range 192.5.5.26 192.5.5.30; option name-servers bb.home.vix.com, gw.home.vix.com; option domain-name "vix.com"; option routers 192.5.5.1; option subnet-mask 255.255.255.224; option broadcast-address 192.5.5.31; default-lease-time 600; max-lease-time 7200; } # Hosts which require special configuration options can be listed in # host statements. If no address is specified, the address will be # allocated dynamically (if possible), but the host-specific information # will still come from the host declaration. host passacaglia { hardware ethernet 0:0:c0:5d:bd:95; filename "vmunix.passacaglia"; server-name "toccata.fugue.com"; } # Fixed IP addresses can also be specified for hosts. These addresses # should not also be listed as being available for dynamic assignment. # Hosts for which fixed IP addresses have been specified can boot using # BOOTP or DHCP. Hosts for which no fixed address is specified can only # be booted with DHCP, unless there is an address range on the subnet # to which a BOOTP client is connected which has the dynamic-bootp flag # set. host fantasia { hardware ethernet 08:00:07:26:c0:a5; fixed-address fantasia.fugue.com; } # If a DHCP or BOOTP client is mobile and might be connected to a variety # of networks, more than one fixed address for that host can be specified. # Hosts can have fixed addresses on some networks, but receive dynamically # allocated address on other subnets; in order to support this, a host # declaration for that client must be given which does not have a fixed # address. If a client should get different parameters depending on # what subnet it boots on, host declarations for each such network should # be given. Finally, if a domain name is given for a host's fixed address # and that domain name evaluates to more than one address, the address # corresponding to the network to which the client is attached, if any, # will be assigned. host confusia { hardware ethernet 02:03:04:05:06:07; fixed-address confusia-1.fugue.com, confusia-2.fugue.com; filename "vmunix.confusia"; server-name "toccata.fugue.com"; } host confusia { hardware ethernet 02:03:04:05:06:07; fixed-address confusia-3.fugue.com; filename "vmunix.confusia"; server-name "snarg.fugue.com"; } host confusia { hardware ethernet 02:03:04:05:06:07; filename "vmunix.confusia"; server-name "bb.home.vix.com"; }
dhcp.client, dhcpd, /var/state/dhcp/dhcpd.leases, dhcprelay, syslogd.
RFC2131, RFC2132.