By Bineli Manga, Alibaba Cloud Community Blog author.
Dynamic Host Configuration Protocol (DHCP) is a communication protocol that computers use to automatically assign IP addresses to devices connected to a local network or over the internet. Prior to the invention of the DHCP protocol, adding any new computer to a network required manual action to add its Mac address to an IP address. Managing the network was complicated in case of a large number of hosts over a network. However, with the DHCP installed and configured on a local network, any computer that is accepted in the network automatically gets an IP address associated with its Mac address. A Domain Name Server (DNS) manages the generation of IP addresses, and a DHCP server automatically distributes the configuration among the hosts.
This tutorial will illustrate how you can install and set up a DHCP server on a local network to achieve a fully automatic network configuration. This tutorial will also show how you can manage a small network like the one generally available at home and will also assist in connecting computers with other local Internet of Things (IoT) devices such as lights, air conditioners, and refrigerators.
To get started with this tutorial, you will need a Linux virtual machine (VM) (preferably Ubuntu VM) with access to the internet. For this, you can purchase an Alibaba Cloud Elastic Compute Service (ECS) instance and choose Ubuntu as the operating system.
To install the DHCP server on the Linux VM firstly, you'll need to update the packages repository by executing the following command.
$ sudo apt-get update
After updating the packages' list, install the DHCP package using the following command.
$ sudo apt-get install isc-dhcp-server -y
After the installation of the DHCP server, you'll want to get the IP address of the DHCP server using the ifconfig command. Executing this command will result in the IP address (192.168.110.1).
The DHCP configuration file is located at /etc/dhcp/dhcpd.conf.
Run the following command to open the file.
$ sudo nano /etc/dhcp/dhcpd.conf
Add the following lines in the configuration file to define the subnet, range of IP addresses, domain and domain name servers.
subnet 192.168.110.0 netmask 255.255.255.0 {
While defining subnet information (range, default gateway, domain name server), make sure to end the lines with a semi-colon (;)
and enclose them in curly braces { }
. The range defines the set of IP address pool, from which the IP addresses are allocated to DHCP clients. To specify the range of leased addresses, add the following line.
range 192.168.110.5 192.168.1.10;
Next, to specify the default gateway, add the following line.
option routers 192.168.110.1;
To specify the domain name servers, add the following line.
option domain-name-servers 8.8.8.8, 8.8.4.4;
To set up a DHCP server, execute the following steps to configure the global settings.
Step 1: To specify the default and maximum lease time, find the parameters default-lease-time and max-lease-time in the configuration file and change their values as shown below.
default-lease-time 600;
max-lease-time 7200;
Step 2: In case of multiple interfaces, define which interface the DHCP server should use to serve DHCP requests. In the configuration file, find and edit the value of INTERFACESv4 to update it with the preferred interface to serve the requests.
INTERFACESv4="eth0"
Step 3: To make DHCP server the official DHCP server for the clients, uncomment the following line in the configuration file by removing the #
character as shown below.
$ authoritative;
After implementing the preceding basic configuration, you'll need to save and close the configuration file.
Now, use the following commands to manage the DHCP server.
To verify whether the service is running fine, check the status of DHCP service by running the following command in a terminal window.
$ sudo systemctl status isc-dhcp-server.service
To start the DHCP service, run the following command in a terminal window.
$ sudo systemctl start isc-dhcp-server.service
To stop the DHCP service, run the following command in a terminal window.
$ sudo systemctl stop isc-dhcp-server.service
To restart the DHCP service, run the following command in a terminal window.
$ sudo systemctl restart isc-dhcp-server.service
Next, there is al need to configure the network settings in the client computer to obtain an IP address from a DHCP server. Here, let's use another Ubuntu 18.04 LTS as a client computer. In the client computer, open Settings application from Ubuntu's Dash menu.
Select the Network tab from the left pane of the Settings application, and open the adapter settings by clicking on the cog icon in front of it. Make sure it is ON. It will open the adapter settings window. Now, select the IPv4 tab from the top menu, and then select the Automatic (DHCP) option.
Click Apply to save the changes and restart network services by running the following command in Terminal.
$ sudo systemctl restart NetworkManager.service
Now, launch the Terminal and type the following command to find the IP address of the system.
$ ip a
The above command will result in an IP address that will be from the range defined in the DHCP server configuration. If the client still does not obtain an IP address from the DHCP server, restart the system.
To find out what addresses have been assigned to clients by the DHCP server, open the machine configured as a DHCP server, and type the following command in Terminal.
$ dhcp-lease-list
The lease is the amount of time for which an IP address is assigned to a computer. From this list, verify whether the DHCP client with the MAC: 00:0c:29:d4:cf:69
is provided with the IP address 192.168.110.5 from the DHCP server.
With this, the setup is complete and the DHCP server is up and running. Now, use this DHCP server to assign IP addresses.
A DHCP server is vulnerable to different types of attacks. Let's take a look at some of the attack types and tips on how to prevent or mitigate these risks.
Since the DHCP protocol doesn't require authentication from the client to provide network configurations, any user who has access to the network may obtain a lease of IP address. The data sent by the DHCP server may reveal information on the DNS servers IPs, which may comprise the network's security. Malicious users who have access to a DHCP-enabled network may create a denial-of-service attack on DHCP servers by flooding the server with a high number of lease requests, thereby depleting the number of leases that are available to other DHCP clients.
The DHCP starvation attack is an attack where the hacker exhausts the address space available to the DHCP servers for a particular time period. This kind of attack is conducted by broadcasting DHCP requests with spoofed MAC addresses. Also, to gain access to the network, the attackers exploit the DHCP snooping, a mechanism used to provide the security of the network by filtering untrusted DHCP messages and by creating and maintaining a DHCP snooping binding database.
A hacker may set up a fake DHCP server on the attacked network, in order to cause man-of-the-middle, sniffing and reconnaissance attacks. This fake server is called a rogue server, and the attacker uses it to supply the clients with fake addresses and other network information to snoop into the data packets. The rogue server then provides its own DNS servers and network gateways, which redirect clients to malicious websites where they perform phishing attacks to obtain their confidential information such as credit card numbers and passwords.
Maintaining proper physical security protocols for the hardware components such as servers, switches, and routers limits unauthorized access to the server system. Restricting wireless access for illicit individuals inside or outside the system by maintaining the user access policies also anneal the security perimeter.
Audit logging for every DHCP server on the network should be enabled along with keeping a tab on log files. These log files ensure safety at times when the DHCP server receives an unusually high number of lease requests from the clients. An audit log file contains the information required to track the source of attacks made against the DHCP server. The system event log should be analyzed for explanatory information about the DHCP Server service as well. While in cases where the clients are running the Microsoft OS with 802.1 enabled switches, authentication occurs before the DHCP server to assign a lease, offering better security.
In addition, administrative access to DHCP should be restricted to a limited number of individuals. Only a member of the Administrators group or the DHCP Administrators group should be allowed to administer DHCP servers using the DHCP console or the Netsh commands for DHCP. Make sure that the category of users who need read-only access to the DHCP console is added to the DHCP Users group instead of to the DHCP Administrators group. Even though nothing is completely secure in the cyber world, few safety measures included in the security policy may save an organization from cyber threats.
To sum up things, this tutorial intends to help users install and configure a DHCP server on their own. It focuses on how to configure a DHCP server to match specific needs. It also lists various attacks that a DHCP server may face and finally suggests how to protect it from these attacks.
There's No Need for Hadoop: Analyze Server Logs with AnalyticDB
2,599 posts | 762 followers
FollowAlibaba Clouder - April 8, 2021
Hiteshjethva - October 31, 2019
Alibaba Clouder - September 30, 2018
Hiteshjethva - January 8, 2020
Alibaba Cloud MVP - February 28, 2020
Alibaba Clouder - October 1, 2018
2,599 posts | 762 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreAn encrypted and secure cloud storage service which stores, processes and accesses massive amounts of data from anywhere in the world
Learn MoreProvides secure and reliable communication between devices and the IoT Platform which allows you to manage a large number of devices on a single IoT Platform.
Learn MoreMore Posts by Alibaba Clouder