Create the file /etc/dhcp/dhclient.conf, and add an
appropriate setting for each of the ten configuration settings which can be
obtained via DHCP. For each setting, do one of the following:
If the setting should not be configured remotely by the DHCP server,
select an appropriate static value, and add the line:
supersede setting value;If the setting should be configured remotely by the DHCP server, add the lines:
request setting; require setting;For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like:
supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask;
By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup).
Ensure that the following line exists in /etc/rsyslog.conf:
daemon.* /var/log/daemon.logConfigure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process.
By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section
Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option:
deny bootp;
The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server.
Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible:
deny declines;
The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations.
To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option:
ddns-update-style none;
The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients.
Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP:
option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset
Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information.
If the system does not need to act as a DHCP client,
the dhcp-client package can be uninstalled.
The dhcp-client package can be removed with the following command:
$ sudo dnf remove dhcp-client
Removing the DHCP client is necessary when the system works or will work in a static network environment. In this case the system has/will have a static IP address assigned.
If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp package can be removed with the following command:
$ sudo dnf remove dhcp
Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.
The dhcpd service should be disabled on
any system that does not need to act as a DHCP server.
The dhcpd service can be disabled with the following command:
$ sudo systemctl mask --now dhcpd.service
Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.
For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes:
BOOTPROTO=none
NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1
DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.
If the system does not need to act as a DHCP server, the kea package can be uninstalled.
Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.