KNOW HOW DHCP
he first three articles in this series
Linux Networking Guide: Part 4
covered all the basics of configuring
TLinux boxes as network hosts. The
emphasis throughout has been on using
command line tools and editing the text
DHCP
configuration files. If you have read all
three articles you will know that network
configuration on Linux boxes is actually
A simple guide to configuring Linux networks from the command line.
very simple.
However, as your network grows it This final article in the series shows how to use DHCP to configure network
becomes an increasing chore just to keep
hosts dynamically. BY BRUCE RICHARDSON.
all those configuration files up to date,
particularly if you make significant
changes to the structure of your network.
Add a nameserver to your network, or
change the IP address of a gateway
router, and you will have the task to edit
the configuration files on each and every
network host.
Life would be much easier if it were only
possible for your computers to fetch their
configurations from a central source. Not
only would it make the job of setting up
new machines easier but you could make
network design changes centrally and
have them propagate to all your machines.
Laptops, PDAs and other transient devices
could be connected to your network and
configure themselves automatically.
The good news is that it is possible,
using the Dynamic Host Configuration
Protocol. This article will show you how
to set up DHCP both on the server and
client sides and how you can update your
DNS information dynamically when IP
addresses are assigned through DHCP.
Overview
When a dynamically-configured host is
first connected to a network it has no IP
address nor any notion of the local sub-
net address, netmask etc. So it sends a
broadcast request for configuration that it has been supplied with. The pool of addresses to which it grants
details. If there is a DHCP server on the dynamically-configured host is now ready leases. A lease has a set lifespan and
local subnet it sends a reply, allocating to participate normally on the network. must be renewed before it expires if the
the host an IP address and passing on any The server can pass on more than just host is then to retain the same IP address.
other network configuration parameters the parameters of the host s network Typically, DHCP client software will
interface. It can store a wide range of net- attempt to renew a lease once it is
work related information, including the halfway through its lifespan and will
Finding a Network Card's
local domain name, addresses of DNS repeat the attempt at regular intervals
MAC Address
servers, routers, WINS servers and much until it is either successful or the lease
Many NICs come with their MAC address
more. It is entirely up to the DHCP client expires, after which time a new lease
printed on a label on the card. Another way
software how much of this is then used to must be requested.
to find the MAC address is to configure a
configure a host. This leasing model allows you to have
network interface for it (by, say, getting it to
a pool of addresses smaller than the total
take a dynamic address from DHCP) and
Leases
number of hosts to be connected, if you
then running ifconfig. In the details returned
When a DHCP server assigns an IP know that only a certain fraction of those
by ifconfig, the MAC address for each config-
address to a host it is not a permanent hosts are likely to be connected at any
ured card is given in the HWaddr field.
allocation. The server has available a one time.
44 September 2002 www.linux-magazine.com
DHCP KNOW HOW
It is also possible to associate, using More seriously, the DHCP protocol
DHCP Server Config
DHCP, a fixed IP address with a particular makes no provisions for security. When a
hostname and/or network card (which DHCP client sends a broadcast request it
# /etc/dhcpd.conf
latter option, since network cards tend accepts the first reply it gets. A malicious
#
not to flit from device to device, has the person could then subvert hosts on your
effect of associating the IP address with a network by connecting a laptop running
# Option definitions common to U
specific piece of hardware). So if the its own DHCP server. This isn t quite as
all supported networks...
DHCP client specifies a hostname in its calamitous as it sounds, since queries are
default-lease-time 86400;
request or if the request originates from a only sent out by newly connected hosts
max-lease-time 86400;
network card with a specific MAC or those which haven t been able to
option domain-name U
address, then the associated fixed address renew an existing lease. Your only protec-
"example.org";
may be returned. tion is to run some kind of Intrusion
option domain-name-servers U
Detection Software such as Snort.
192.168.10.1, 192,168.10.5;
Choice of Lease Lifespan
One particular possible security hole
option subnet-mask 255.255.255.0;
DHCP client software may specify a lease arises with fixed IP address assignments
lifespan when requesting a lease but the (as described in the Section called
# Options for each subnet
server can have both a default lifespan Leases). If no MAC address has been
subnet 192.168.10.0 netmask U
setting for requests that don t specify and associated with the assignment then the
255.255.255.0 {
a maximum setting that overrides any DHCP server has no way of verifying that
range 192.168.10.101 U
request for a greater span. The value you the requesting host has any right to the
192.168.10.200;
assign to these settings will be significant hostname it specifies. So it is wise always
option routers 192.168.10.1;
in the effect on your network. to specify a MAC address where practical.
}
Firstly, setting a shorter lifespan will Because of these issues, it isn t wise to
mean more frequent renewals and so have your servers configure their network
subnet 192.168.11.0 netmask U
more DHCP-related noise on the network interfaces through DHCP. Leave that for
255.255.255.0 {
(as well as making your network more your workstations and configure your
range 192.168.11.51 U
vulnerable to a failure in your DHCP servers manually. Otherwise, your entire
192.168.11.90;
server). network will be vulnerable to attack.
range 192.168.11.200 U
Secondly, it is only when you renewing
192.168.11.254;
The DHCP Server
a lease that the client software checks for
option routers 192.168.11.1;
other network configuration details. So if In this article I will be using the server soft-
}
you set a seven day lease and then give a ware that is available from the Internet
new set of name server addresses to the Software Consortium, which is over-
subnet 192.168.12.0 netmask U
DHCP server, it will then typically take at whelmingly the most commonly used on
255.255.255.0 {
least three and a half days for that Linux. It should be available as one of your
}
information to propagate throughout the distribution s core packages or you can
network. download the source from the ISC website
# Options for specific hosts U
So sysadmins are typically faced with a [1]. On the website you will be able to find
host marx {
tension between the optimum network source for versions 2.x and 3.x. Examples
hardware ethernet U
performance and the propagation speed, given here will work with either.
00:08:20:81:77:82;
which only time, experiment and experi-
fixed-address 192.168.10.51;
Configuration
ence can resolve.
}
The DHCP server has one configuration
The Science Bit
file, whose default location is /etc/
host engels {
DHCP requests and replies are sent using dhcpd.conf (you can specify a different
fixed-address 192.168.10.52; U
UDP. The server listens on port 67, the file at runtime by passing a parameter on
34 }
client on port 68. the command line). An example is shown
in the DHCP Server Config boxout. As
Some Drawbacks to DHCP
you can see, each line is terminated by a Next we have some subnet declarations,
When using DHCP on your network, semi-colon, sub-options are contained each giving specific options for a subnet
there are certain questions introduced within braces. to which this machine is connected. The
about the reliability and security. On the First come the global options. The lease first two declarations each allocate a
reliability side, if your DHCP server fails lifespan (measured in seconds) has here range of IP addresses to the pool for that
then your entire network may just grind been set to one day. There follow settings subnet and also give the router IP address.
to a halt. MS Windows workstations are for the local domain name and and DNS The third subnet declaration is empty,
particularly bothersome in this situation servers. The subnet-mask global option indicating that the server will not respond
and will assign themselves a new address provides a default for any subnet which to requests from that subnet.
on a reserved subnet, a feature called does not have a netmask specified in its Important: There must be a subnet
Automatic Private IP Addressing. own declaration. declaration for each subnet for which the
www.linux-magazine.com September 2002 45
KNOW HOW DHCP
host has a configured network interface, or by editing its configuration file,
Pump Config File
unless the server was set at runtime to /etc/pump.conf. The example file shown
# /etc/pump.conf
only listen on specific interfaces (see the in the Pump Config File boxout tells
Section called Running the Server). In the pump not to rewrite /etc/resolv.conf if it
device eth0 {
latter case there must be a declaration for receives DNS configuration information
nodns
each specified subnet. with the lease for eth0 and to run the
}
Finally, some host declarations, which user-written script /usr/local/sbin/dhcp
specify fixed IP addresses for particular whenever a lease is granted, renewed or
script /usr/local/sbin/dhcp
hosts. The first declaration specifies a released. The script is passed the action
MAC address and so will allocate the IP ('up', 'renewal' or 'down'), IP address
address to any request coming from that happens, copy the backup file back to and interface name as parameters.
network card, whether or not the request dhcp.leases and restart the daemon.
dhclient
includes the marx hostname. Also in Each record in the leases file records
contrast, the second declaration means the start and end date/time, MAC Using dhclient to configure an interface is
that 192.168.10.52 will be assigned to any address, hostname (if given) and IP just as simple as pump:
request including the engels hostname, address. This can be of use either to other
even if an existing lease has already been applications or to your own scripts. One /sbin/dhclient eth0
granted to another machine using the example is given in the Section called
same name. Dynamic DNS Updates. You can also modify dhclient s behaviour
Caution Any fixed IP addresses by editing /etc/dhclient.conf, though in
Configuring the Client
assigned in host declarations must not be most cases it will function perfectly well
from within ranges that have been For a Linux box to configure its network without a configuration file. The options
assigned to subnet pools. interfaces using DHCP, it requires a DHCP for dhclient configuration are much more
client. The two most commonly used are complex and flexible than pump, as we
Running the Server
pump, a simple client developed by Red show in the dhclient Config File boxout.
You can launch the server directly from Hat, and dhclient, a fully featured client The global options specify firstly that
the command line, as in this example: from the Internet Software Consortium. dhclient should try to obtain a lease for
Both work in the same simple way: 60 seconds before giving up and secondly
/usr/sbin/dhcpd -cf /etc/dhcp/U when the client is run it sends out a series that it should wait a further 30 seconds
dhcpd.conf eth0 eth1 of broadcast requests until a valid reply is before trying again.
received. The client then configures the The interface declaration sets options
In this case the daemon has been told to network interface and other parameters for dhclient to use when obtaining leases
use an alternate configuration file and to specified by the DHCP server, after which for the eth0 interface. In this case,
listen only on interfaces eth0 and eth1. it runs as a daemon in the background, dhclient should identify the hostname as
In practice, however, you are best to sending renewal requests as necessary. marx , request an hour-long lease and
stop and start the daemon by using the Both of the clients can be configured add 127.0.0.1 to the list of name servers it
init scripts provided with the package. On further to specify how they use the data receives from the server. The request
Debian, for instance, you would restart returned to them by the DHCP server and option specifies what information
the daemon thus: to run a script on the granting or renewal dhclient should ask for and the require
of a lease. option tells dhclient to reject entirely any
/etc/init.d/dhcp restart response which doesn t include a subnet
pump
mask and list of name servers.
If you wanted to pass extra parameters to pump doesn t support the full range of It is possible to have dhclient run user-
the daemon you would have to edit configuration options that can be passed defined scripts when either obtaining or
/etc/default/dhcp. If you are using through DHCP and isn t as flexible as renewing leases but as this is a more
another distribution, please consult your dhclient but is adequate for most set-ups. complex affair than with pump you
distribution s documentation for details. It is the default DHCP client for many of should read all the man pages that come
The daemon must be restarted for any the distributions and there should be a with the dhclient package before you
changes to the configuration file to take package available for you. attempt this.
effect. Once installed, configuring an interface Your distribution will have a dhclient
using pump can be as simple as this: package and you can also get the source
The Lease File
code from the ISC website (see the Info
The DHCP server keeps a record of the /sbin/pump -i eth0 boxoutat the end of this article).
current leases in a text file (on Debian
Doing it the Easy Way
this is /var/lib/dhcp/dhcp.leases, with a Which will set pump to managing eth0.
backup called dhcp.leases~. The daemon As soon as it successfully obtains a lease Thankfully, you rarely need to bother
reloads it on start-up and will fail if it it will configure the interface. with any of the above complexity, nor
can t find it (which can happen if the You can modify pump s behaviour by with running the DHCP client yourself. In
daemon fails at a crucial point). If this passing it further command line options all the major distributions you simply
46 September 2002 www.linux-magazine.com
DHCP KNOW HOW
simply the two allow-update directives,
dhclient Config File BIND Configured
which tell the respective forward and
for Dynamic Updates
reverse zones that they should accept
# /etc/dhclient.conf
updates from 192.168.10.6 (the address of
# /etc/named.conf
the DHCP server).
timeout 60;
retry 30;
options {
Configuring DHCPD 3.x
directory "/var/cache/bind";
If you want the DHCP server to do the
interface "eth0" {
};
updates itself, you need version 3.x. You
send host-name "marx";
should add the following options to
send dhcp-lease-time 3600;
zone "." {
dhcpd.conf (altering the values to suit
prepend domain-name-servers U
type hint "/etc/bind/db.root";
your own network):
127.0.0.1;
file "/etc/bind/db.root";
request subnet-mask, U
};
ddns-domainnameU
broadcast-address, routers,U
"example.org";
domain-name, U
zone "internal" {
ddns-update-style "interim";
domain-name-servers, host-name;
type master;
deny client-updates;
require subnet-mask, U
file "db.internal";
domain-name-servers;
allow-update {192.168.10.6;};
zone example.org. {
}
};
primary 192.168.10.1;
}
zone "0.0.127.in-addr.arpa" {
have to specify in the network config files
type master;
that an interface should use DHCP. When zone 254.10.168.192.in-addr.U
file "db.root";
the network interface is brought up (for arpa. {
};
example using the ifup command), the primary 192.168.10.1;
networking scripts will use whichever of }
zone "10.168.192.in-addr.arpa" {
the clients is installed.
type master;
In the Example Interface Config Files The primary setting gives the IP address
file "db.10.168.192";
boxout you can see an example of how of the name server to send the updates
allow-update {192.168.10.6;};
this is done on Debian and Red Hat. to.
};
Dynamic DNS Updates Working with DHCPD 2.x
Historically, one drawback to configuring If you have DHCPD 2.x then the DHCP
network hosts dynamically has been that your DNS records to reflect the leases server itself cannot perform updates.
their details are not stored in DNS. The given out by your DHCP server. There are alternatives, however. Stephen
DNS standard now, however, includes a In configuring your network for DDNS Carville has written some perl scripts
mechanism for sending updates to a DNS it is possible for the DHCP server and/or that can be used to monitor the
server. This makes it possible to update the client to send the updates to the name dhcpd.leases file and send updates using
server and then to use secure keys for the nsupdate binary from the BIND
protection. For simplicity s sake, this package [2].
Example Interface
example allows only the server to send
Config Files
Endnotes
updates and does not use security.
Debian config file:
This article, the last in the series, has
# /etc/network/interfaces
Configuring Bind
shown you how to set up a DHCP server,
The first step is to configure your name how to configure workstations using
auto lo
server to allow dynamic updates. For DHCP and how to set up dynamic DNS
iface lo inet loopback
BIND 8.x, this can be done as shown in updates. The four articles should provide
the BIND Configured for Dynamic you with all the information you need to
auto eth0
Updates boxout. In this case, the BIND set up simple Linux networks. Hopefully,
iface eth0 inet dhcp
config file from the previous article in this they also provide enough tasters to make
series has been modified to allow updates you ambitious to try greater things with
Red Hat config file:
to the main domain. The alteration is your systems.
# /etc/sysconfig/U
network-scripts/ifcfg-eth0
INFO
[1] ISC DHCP tools: http://www.isc.org/products/DHCP/
DEVICE=eth0
[2] Stephen Carville s DHCP-DNS: http://www.heronforge.net/~stephen/DHCP-DNS/dhcp-dns.html
ONBOOT=yes
BOOTPROTO=dhcp [3] Secure DDNS HOWTO: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
www.linux-magazine.com September 2002 47
Wyszukiwarka
Podobne podstrony:
2002 09 Creating Virtual Worlds with Pov Ray and the Right Front EndThe Kama Sutra Part V Chapter 3The Kama Sutra Part I Chapter 2The Kama Sutra Part VI Chapter 6The Kama Sutra Part III Chapter 5The Kama Sutra Part II Chapter 32002 09 Genialne schematyLearn Greek (1 Of 7) The Greek Alphabet, Part I2002 09 Transformator Tesli, część 1Andromeda S04E21 The Dissonant Interval Part 1Cordwainer Smith Instrumentality Of Mankind 09 The Colonel Came Back From Nothing At AllThe Kama Sutra Part III Chapter 3Matematyka dyskretna 2002 09 Grafy nieskierowaneThe Kama Sutra Part V Chapter 6DBZ Special Plan To Destroy The Saiya Jins Part 12014 01 08 KEYS TO UNLOCK THE IMPOSSIBLE REALM Part 2Conan Creatures of the Hyborian Age Part Iwięcej podobnych podstron