DHCP server assigned its own address

Bill Shirley bill at c3po.polymerindustries.biz
Tue Sep 17 09:20:50 UTC 2019 

The IP address of the DHCP server is 192.168.11.10
         range 192.168.11.10 *10.254.11.10*;
You configured it to assign it's own address.

Also your rage ending address is outside your subnet:
    option subnet-mask 255.255.255.0;

Bill

On 9/16/2019 9:31 PM, Larry Apolonio wrote:
>
> All,
>
> I have a weird problem that I am trying to solve.
>
> In short, for those who don't want to read the details, I am trying to figure out why the DHCP server assigned its own IP 
> address to another device.
>
>
> My dhcp server is running on CentOS 6.10 and is the regular RPM that comes with that distribution 
> dhcp-4.1.1-63.P1.el6.centos.x86_64.
>
> What is a little unusual is that webmin is used to manage the dhcp server, for the most part it works for our environment.
>
> Yesterday, I got a nagios alert that the server was no longer available.  This nagios server is on the same subnet as the 
> server so there was no weird firewall routing issues involved.  With the help of the networking guys, we found that another 
> machine took the IP address of our DHCP server.  This happened late July this year and it ended up being a human error, the 
> person spinning up a machine on this network assigned a static IP address to their machine that was the same IP as our server, 
> so we thought someone did it again.
>
> The difference this time is that it seems like the DHCP server itself assigned its own IP address
>
> Here is a sample of that subnet declaration, with IPs changed to protect the innocent
>
> # XXXXXX Subnet
> subnet 192.168.11.0 netmask 255.255.255.0 {
>         range 192.168.11.10 10.254.11.10;
>         option subnet-mask 255.255.255.0;
>         default-lease-time 28800;
>         option broadcast-address 192.168.11.255;
>         option routers 192.168.11.254;
>         option domain-name-servers 208.67.222.222 , 208.67.220.220;
>         option domain-name "example.local";
>         }
>
> The IP address of the DHCP server is 192.168.11.10, I personally would not do this, I would have not even had the DHCP server 
> IP address in that range.  But please read on
>
> This is a rarely used subnet, so a machine appearing on this subnet is rare, in fact I thought this subnet did not have a dhcp 
> declaration prior to me looking in to it.  Doesn't this log entry in /var/log/messages confirm it? (hostname was changed in 
> this paste)
>
> Sep 12 10:02:12 linuxdhcpserver dhcpd: No subnet declaration for eth0 (no IPv4 addresses).
> Sep 12 10:02:12 linuxdhcpserver dhcpd: ** Ignoring requests on eth0.  If this is not what
> Sep 12 10:02:12 linuxdhcpserver dhcpd:    you want, please write a subnet declaration
> Sep 12 10:02:12 linuxdhcpserver dhcpd:    in your dhcpd.conf file for the network segment
> Sep 12 10:02:12 linuxdhcpserver dhcpd:    to which interface eth0 is attached. **
>
> When the service was restarted 3 hours later, that same message about no subnet declaration for eth0 did not appear.
>
> One reason we use webmin is so that non-linux folk (AKA people without the root password) can log in to an easy web interface 
> is to manage the service that the Linux server does, in this case dhcp.
>
> But it also logs what they did, up to a certain point, I can tell who edited which subnet declarations but not the exact 
> changes they did.
>
> From the webmin logs, until yesterday this subnet was not changed.
>
> From the command line I also ran last to see who logged in, it was either root, or a proper Linux server admin, and I admit 
> that someone in this group could be holding back, I don't think we did anything via CLI.
>
> So I am at a loss, trying to figure out why a DHCP server would assign its own IP address (it is pingable, no iptables rules 
> blocking ICMP), I thought conflict resolution would prevent it. If I am reading RFC1541 section 2.2 correctly.
>
> Did someone do a good job at cleaning up their tracks?  I don't think the effort or skill was there.  It would be easier to 
> just admit they made a mistake.
>
> Was webmin not logging correctly?  I really dont recall this subnet being on this server, because I do recall seeing that 
> message in the logs regarding no subnet declaration in the past.
>
> Couple solutions were proposed so this would not happen again, the biggest one is putting this server and its big brother 
> nagios server on its lonesome VLAN/subnet and restrict anything else from being on this subnet.  Seems overkill but this IP 
> hijack happened twice within 60 days when it has been fine for years.
>
> Thank you,
>
> Larry Apolonio
>
> Although I have been speaking English for a while now, I still have problems articulating my thoughts, thank you for your 
> patience.
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20190917/710e6fa8/attachment-0001.html>

More information about the dhcp-users mailing list