Is your DHCP Server Authoritative?

本文探讨了ISCDHCP服务器中'authoritative'指令的重要性及其配置方法。当DHCP服务器作为网络上的唯一授权服务器时,该指令对于拒绝不合理地址请求至关重要。文章还介绍了如何通过配置拒绝来处理迁移过程中旧地址池的问题。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Possibly the single most annoying misconfiguration of the ISC DHCP Server today is forgetting to set the 'authoritative;' directive, when doing so is appropriate.

When a DHCP server believes that a client is requesting an address that is not appropriate for the subnet to which it is attached, for example because a user's laptop received a lease from their home network the night prior, the server is expected to send a DHCPNAK in response to the client's DHCPREQUEST. This causes the client to immediately fall back to INIT state, forget its old lease, and start over from scratch as though it never had one. Out of the box, on a default configuration, ISC DHCP does not do this, and you are expected to configure 'authoritative;' on a line somewhere in your dhcpd.conf if you want this behaviour.

This means that the client will not start getting a lease until it gives up, on its own volition, on its old lease. Client implementations being different, there is nothing barring the client from trying to hold on to its old lease until it reaches its expiry time! Most clients however don't make you wait quite that long, and time out after several minutes.

If ISC DHCP's default configuration directive included this behaviour, than one of its chief uses, as a rogue DHCP server on college campuses, would cause extreme havoc and mayhem and possibly the deaths of several undergraduate students who don't realize the horror of attracting their operators' attentions.

So, if your DHCP server is the only one on the network, or the only one that SHOULD be on the network, or in general if you are in charge of the network to which it is attached and are therefore smart enough to not have more than one (or one failover pair) DHCP server, then you need to set 'authoritative'.

That said, it's still possible that ISC DHCP won't send a DHCPNAK in response to some queries. In particular, to requests for addresses that are within the DHCP server's subnet ranges, and are therefore reasonable for the network to which the client is attached, but do not appear in any pool statement, or host statement's fixed-address, or so forth. Quite often this ocurrs when DHCP pools are migrated, and the DHCP server is just trying to play nice in the event that another DHCP server is in charge of a different pool on the same subnet (and somehow your clients are configured to be smart enough to choose which lease to ask for).

You can tell that this is happening because ISC DHCPD will log a line indicating "Unknown lease."

To elicit DHCPNAKs from the server in this case, you need to configure a denial in the old pool's scope, as this example:

lease-file-name "/var/db/dhcpd.leases";

ddns-update-style none;
authoritative;

option domain-name "your.domain";
option domain-name-servers 10.0.0.2, 10.0.0.3;

default-lease-time 3100;	# 51 minutes.
max-lease-time 604800;		# 1 week


subnet 10.0.0.0 netmask 255.255.255.0 {
	option routers 10.0.0.1;
	option subnet-mask 255.255.255.0;
	option broadcast-address 10.0.0.255;

	# The latest input from layer-9 required us to shift the dynamic
	# range from the top half of the subnet down to the bottom half.
	# This pool clause will elicit NAKs for the old leases while the
	# clients migrate.  Remember to remove this once they've all booted
	# once or expired.
	pool {
		range 10.0.0.1 10.0.0.127;
		deny all clients;
	}
	pool {
		range 10.0.0.128 10.0.0.254;
	}
}
在Ubuntu系统上安装和配置DHCP服务器可以按照以下步骤进行: ### 1. 更新系统 首先,确保系统软件包是最新的。打开终端并运行以下命令: ```bash sudo apt update sudo apt upgrade ``` ### 2. 安装DHCP服务器 安装ISC DHCP服务器,这是Ubuntu上常用的DHCP服务器软件。运行以下命令: ```bash sudo apt install isc-dhcp-server ``` ### 3. 配置DHCP服务器 编辑DHCP服务器的配置文件`/etc/dhcp/dhcpd.conf`。使用你喜欢的文本编辑器,例如`nano`: ```bash sudo nano /etc/dhcp/dhcpd.conf ``` 在文件中添加以下配置: ```conf default-lease-time 600; max-lease-time 7200; authoritative; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; option routers 192.168.1.1; option subnet-mask 255.255.255.0; option domain-name-servers 8.8.8.8, 8.8.4.4; option domain-name "example.com"; } ``` 根据你的网络环境修改上述配置中的IP地址范围、网关、子网掩码和DNS服务器。 ### 4. 指定网络接口 编辑`/etc/default/isc-dhcp-server`文件,指定DHCP服务器监听的网络接口: ```bash sudo nano /etc/default/isc-dhcp-server ``` 找到以下行并修改为你的网络接口名称(例如`eth0`): ```conf INTERFACESv4="eth0" INTERFACESv6="" ``` ### 5. 重启DHCP服务器 配置完成后,重启DHCP服务器以应用更改: ```bash sudo systemctl restart isc-dhcp-server ``` ### 6. 配置防火墙 确保防火墙允许DHCP流量通过。运行以下命令以允许DHCP流量: ```bash sudo ufw allow 67/udp sudo ufw allow 68/udp ``` ### 7. 检查DHCP服务器状态 使用以下命令检查DHCP服务器的状态: ```bash sudo systemctl status isc-dhcp-server ``` 如果一切正常,DHCP服务器应该已经成功运行并开始分配IP地址。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值