Server only for relayed requests, not broadcasts
Peter Rathlev
peter at rathlev.dk
Wed Apr 24 17:24:24 UTC 2019
On Wed, 2019-04-24 at 10:40 +0200, Rob Janssen wrote:
> The forwarded DHCP requests are sent to the machine's IP on ens224
> (the router knows to forward them to this machine),
> however it appears that it is impossible to listen on an interface
> only for handling forwarded requests. Is that true?
By default this is true. ISC DHCPd uses raw sockets unless compiled
otherwise. For it to receive packets on an interface, even if they're
actually destined to an address on another interface, it needs to
listen on the interface. And since it's a raw socket the server will
see local broadcasts.
You might try looking into compiling a version yourself with the
configure option "--enable-use-sockets". This will make the server not
use raw sockets but regular BSD sockets. And this again will make it
behave much more like you expect.
Take a look at this KB article:
https://kb.isc.org/docs/aa-00379
> So I have included a dummy section for ens192 like this:
>
> subnet 172.22.16.0 netmask 255.255.248.0 {
> deny unknown-clients;
> deny client-updates;
> not authoritative;
> }
[...]
> Even with this config, the server is logging requests that it simply
> should not see, like:
Could you add "ignore booting" to that subnet declaration? It's valid
syntax though I'm not entirely sure does what you want.
> I even tried an nftables filter:
[...]
> This catches the "wrong" packets, counter increases, but DHCPD still
> sees them.
This is again because of the raw sockets. Just like "tcpdump" will
actually see packets dropped by a filter, DHCPd will also.
--
Peter
More information about the dhcp-users
mailing list