My dhcpd.conf

Last Update 07th October 2008

This guide is aimed at users of Debian Linux. The configuration options are generic, but the location of files and version of the software might be different on other Linux flavours. If anyone has any comments, or manages to make this guide work for other Linux flavours please tell me, and I will add the comments to the guide.

My Network

First a few details about my network structure, I use the private subnet 192.168.0.0 with a netmask of 255.255.255.0. The internal domain name is int.example.org. The server runs a number of services including DNS (domain name service), NIS (network information service), NTP (network time protocol), it also acts as a router for the network. A second network card connecting to the internet.

The hostname of the dhcp server is mars.example.org. This is a pretty randomly chosen network name, as it wont be on the internet though you can use pretty much any URI you want. The IP address of the server is 192.168.0.2. I run ISCs dhcp3 server. Configuration files are located /etc/dhcp3/dhcpd.conf and the startup files /etc/init.d/dhcp3server. If you are running the older server dhcp2, the configuration files are probably located "/etc/dhcpd.conf" and the startup file "/etc/init.d/dhcp".

If you dont have dhcpd, installed already run

apt-get install dhcp3-server

or use your Linux flavours package management tool, I dont want to get bogged down in the details of how to compile from source. Possibly I will spin that off into another article at some point.

The following is an annotated listing of my /etc/dhcpd.conf file. The original can be downloaded here

Please Note that Debian has a file /etc/default/dhcp3-server in which you set which interfaces the server listens on. If your server has more than one network card you can choose which interface the server listens on by editing this file.

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".>
INTERFACES="eth0"

Example dhcpd.conf

Based on my network settings here is a simple subnet declaration. You will need to edit this depending on what subnet you use.

subnet 192.168.0.0 netmask 255.255.255.0 { #This is a subnet which the dhcpd server controls, note the { this is required
default-lease-time 345600; #Sets the time loan time in seconds before computers must renew their leases
max-lease-time 691200; #Set the maximum amount of time a pc can hold a lease for
option domain-name "example.org"; #Sets the domain name
option domain-name-servers 192.168.0.2; #Sets the dns servers you can have one or multiple ones ip address"s seperated by commas
option routers 192.168.0.2; #Sets the network gateway / router
option broadcast-address 192.168.0.255; #Sets the network broadcast address
range 192.168.0.20 192.168.0.30; #Defines a range of ips to be used as leases
}

If you wanted to have more available addresses you can change the range accordingly. For example changing the range statement to "range 192.168.0.100 192.168.0.200;" would give 100 free address leases to the pool. IP addresses are formed xxx.xxx.xxx.xxx each xxx must be a number between 0 and 254. You must not use addresses that end in .0 or .255 as they are reserved for broadcast traffic.

DHCP Options

The options directives feed various information to the clients. You can find out more by typing man dhcp-options or this site has a nice break down of the available options to send to the clients computers.

Adding a default lease

If you want one computer or device to always get the same IP but not statically define it on the device itself. For example, you might want to setup DNS without using dynamic dns for example. So long as you know the MAC address of the computer / device its easy. If you do not know the MAC address of a device you can find out by running a command. On Windows open a command prompt and type "ipconfig /all". Linux users can type ifconfig eth0 in a terminal. Additionally most hardware manufacturers print MAC address on the device. It is usually usually near the serial number on a label on the device or in the admin program. MAC address are usually in the form XX-XX-XX-XX-XX-XX where is a hexadecimal value. The hyphens (or colons) are only used to make the MAC human readable.

On my network I give out a fixed lease IP address to serveral devices including my wireless access point. I could have statically assigned it an IP address. However I wanted everything controlable via my dhcp server. So that if I ever want to change network addresses or settings such as the default route I only have to edit one file, rather than manually reassign addresses. On a small network it might be quicker to statically assign address, but if you need to scale up it can save you a considerable amount of time to only have to edit one file.

host solar_sys { #Set the hostname of the client computer, in this case solar_sys.
hardware ethernet 00:80:4f:1d:57:47; #Registers the MAC address of the client computer.
fixed-address 192.168.0.50; #This line specifies the IP address to be used by the client 192.168.0.69
}

Note the access point is set it to get an ip address via dhcp.The hostname of the access point is solar_sys, and the IP address is 192.168.0.50.

Starting and stopping

To start the server run the command "/etc/init.d/dhcp3server start" or for dhcpd version 2 "/etc/init.d/dhcp start".

If the server is already running you can use the "stop" command to stop it or "restart" command to run a stop start. If you're not sure if the server is running and you want to give it a quick check "ps -aux |grep dhcp" should return something like

mars:/etc# ps -ax |grep dhcp
9376 ? S 0:00 /usr/sbin/dhcpd3 -q
26566 pts/1 S 0:00 grep dhcp

The line /usr/sbin/dhcpd3 -q< shows me that the dhcp server is running. It also has a command line switch of -q, which according to the man page is quite mode.

I am informed to restat the service on Red Hat you use the command service dhcp command command being either stop start or restart. Thanks to SG for this.

Other DHCP Options

Using the dhcp protocol there are many additional services you could add or inform client machines about if you run extra services on your network. These services include Network time (NTP), bootp (autoboot dumb terminals) even redirect certain groups of clients to different servers. Most of these options are beyond the scope of this guide, but I have detailed a few examples below.

I run NIS (Network Informaiton services) on my network. NIS is very insecure but for a small newtork firewalled off from the internet it can be a useful method of having centralised user accounts on a Linux/Unix network. You can ignore this unless you want to run a Linux network with centralised user accounts, ask me nicely and I might even write a guide one day ;-) If you type "man dhcp-options" for a list of posible options.

option nis-domain "contraway"; #Sets the NIS domain (if you use NIS on your network)
option nis-servers 192.168.0.2; #Sets the default NIS server

If you want your clients to use a centralised time server (again if your network is based on Windows I wouldnt bother with this

option time-servers 192.168.0.2; #Sets the default time server

Dynamic DNS Extentions

Your clients get their addresses dynamically, so wouldn't it be nice to also record the reverse lookups so you can hit your cleints by hostname rather than ip address (which of course might change)? Modern versions of the dhcp deamon and the bind dns server can talk and dynamically update each other. Dynamic DNS has limited support under version 2 of ISC dhcp demon so I highly recommend upgrading to version 3 if you intend to use dynamic updates..

Security

If you plan to allow updates to your dns its a very good idea to implement security so that crackers dont hyjack your dns. The best model for DNS is to use keys to encrypt the zone updates. In order to use key based secure dns you will need to create a key (or indeed a number of keys) the command to do which is

dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

This creates 2 files a private and a public. They will be called something like Kdhcp_updater.+157+47203.key and Kdhcp_updater.+157+47203.private. You only actually need the key string inside these files.

Editing dhcpd.conf for ddns

Tell the system with ddns update style to use (the standard isn't formal at the time of writing so I am using the ISC interim method)

ddns-update-style interim; #Activates dynamic dns
update-static-leases on;#Ensures statics leases get entered
authoritative; #Sets the server authoritative for my network

Next add an entry for the ddns key, it is very important to use exactly the same key string and name in both dhcpd.conf and named.conf in order for it to work!

key dhcp-update-key. { #This line specifies the key name
algorithm HMAC-MD5; #This line specifies the encryption algorithm best to stick with HMAC-MD5
secret "YBHmkqsgsjUxqZG3PZpTRPtjzWtH1pMKqxzHuzAijPVyJFSxE=="; #Finally the key statement itself
};

The zone statements are another part of dynamic dns they link in the bind zones

zone example.org {
primary mars.example.org;
key dhcp-update-key.;
}
zone 0.168.192.in-addr.arpa. {
primary mars.example.org;
key dhcp-update-key.;
}

Editing named.conf

In order for the dynamic updates to take place you will also need to add the key definition and zone amendments to named.conf, firstly add the key

key dhcp-update-key. {
algorithm hmac-md5;
secret "YBHmkqsgsjUxqZG3PZpTRPtjzWtH1pMKqxzHuzAijPVyJFSxE=="";
};

Next on the zone definitions add the line allow-update{key dhcp-update-key.;};

zone "example.org" {
type master;
file "pri/example.org";
allow-update{key dhcp-update-key.;};
};
zone "0.168.192.in-addr.arpa" {
type master;
file "pri/reverse.local";
allow-update{key dhcp-update-key.;};
};

Secure Zone Transfers

There are several ways to secure the transfer of dns Zone information. The most common is IP address based restrictions. Unfortunately, Security based on IP address is inherently insecure as IP addresses trivial to spoof. TSIG keys are not only useful for securing dynamic dns updates. TSIG keys can also be used to secure your name server zone transfers. Keys are very secure and difficult to crack. This is very useful if your domain name server contains details of your network that you want to hide from the public, or you are worried about hackers poisoning your zone information. I would recommend secure updates as a great method to control access to the zone information.

Dual Booting Clients

A couple of people have told me that there is a problem with leases when dual booting clients so I dug around a bit and found the following

Text after a # sign is comments

# Make DHCP work on dual boot machines (Linux & Windows2000)
# Microsoft proprietary stuff:
option space MSFT;
option MSFT.release-on-shutdown code 2 = unsigned integer 32;
# Note: The vendor option "MSFT 5.0" is also used by Windows XP
class "win2k-clients" {
match if option vendor-class-identifier = "MSFT 5.0";
send fqdn.server-update true;
send fqdn.no-client-update true;
vendor-option-space MSFT;
option MSFT.release-on-shutdown 1;
}