1

I have a box connected to a largish local IPv4 network (no IPv6 at all) through a single Ethernet interface; normally, it is assigned an IP address from the 172.16.0.0 range.

From time to time, however, somebody plugs in a DHCP server by mistake, and I get an address from the 192.168.0.0 range (and a bogus set of routes). Is there a way of telling dhcpcd (or another DHCP client for Linux) to only accept offers from a specific IP range? Or perhaps a way to filter DHCPOFFER at iptables level, dropping bogus offers?

DHCPCD's manpage lists blacklist and whitelist options, but these seem to apply to the server's IP address, which is in the correct/expected range.

I am only in control of this box (and a few others in a similar role); network management is beyond my control.

Piskvor left the building
  • 2,093
  • 1
  • 17
  • 17
  • Alternatives: - telling people not to plug in rogue DHCP servers doesn't quite work; - setting a static IP and route confuses other, legit network infrastructure; - NATing behind other boxes just moves the problem around, hoping that the other boxes always get a legit DHCP lease. – Piskvor left the building Jul 09 '19 at 13:38
  • 3
    Possible duplicate of [How to prevent or block other DHCP servers?](https://serverfault.com/questions/364954/how-to-prevent-or-block-other-dhcp-servers) – Tim Brigham Jul 09 '19 at 13:41
  • You are looking for dhcp snooping or similar, which needs to be applied to the switch, not the server. – Tim Brigham Jul 09 '19 at 13:42
  • @TimBrigham: That looks promising...but would require managed switches, I assume? And more importantly, access to those switches - I do not have authority to make such changes. Makes sense, thanks. – Piskvor left the building Jul 09 '19 at 13:48
  • So, while applicable in the long term, it's IMNSHO not a duplicate: "How do I fix this on a network client?" "That's not what you want, have someone make a major change in the network infrastructure" doesn't quite solve the problem :( – Piskvor left the building Jul 09 '19 at 15:20

2 Answers2

2

Rather than trying to configure DHCP clients to only use specific DHCP servers (the point of DHCP is to be dynamic, hard coding which servers to use would negate this), I would suggest configuring the network to only allow configured servers to run DHCP, this then prevents "rogue" DHCP servers from being able to operate.

shouldbeq931
  • 509
  • 4
  • 15
  • Thanks. DHCP is fairly flexible, though - "acquire an IP address from *any* server" is just one of its many `option`s, though. Hardcoding a server still leaves most of the work to that server - which address specifically, routes, bootp, etc. While I agree that "don't do that, fix the root cause" is the most sensible option, I don't have the power to do that. – Piskvor left the building Jul 09 '19 at 13:55
1

Iff the DHCP server's IP address is stable and you only expect to use the client in a single network, you can use the whitelist option in /etc/dhcpcd.conf

whitelist 172.16.3.14

A looser possibility, if you know that rogue servers come from a well-defined IP range, is the blacklist option:

blacklist 192.168.0.0/16

If whitelist is used, blacklist is ignored.

Note that DHCP address assignment is a very trusting protocol by default: neither of these are bullet-proof, and wouldn't protect you much: they're simple doorstops against unintentional misconfigurations.

Piskvor left the building
  • 2,093
  • 1
  • 17
  • 17