DHCP server assigned its own address

Larry Apolonio isc-dhcp at rh73.com
Wed Sep 18 13:54:58 UTC 2019 

I should have used SED to sanitize my post.

Anyway thanks all for your help, I fixed the subnet, it no longer has 
the IP address of the server,

I am now tasked to audit all of the other entries to make sure they look 
fine and do not overlap any statics.

LA


On 9/17/2019 2:20 AM, Bill Shirley wrote:
> The IP address of the DHCP server is 192.168.11.10
>          range 192.168.11.10 *10.254.11.10*;
> You configured it to assign it's own address.
> 
> Also your rage ending address is outside your subnet:
>     option subnet-mask 255.255.255.0;
> 
> Bill
> 
> On 9/16/2019 9:31 PM, Larry Apolonio wrote:
>>
>> All,
>>
>> I have a weird problem that I am trying to solve.
>>
>> In short, for those who don't want to read the details, I am trying to 
>> figure out why the DHCP server assigned its own IP address to another 
>> device.
>>
>>
>> My dhcp server is running on CentOS 6.10 and is the regular RPM that 
>> comes with that distribution dhcp-4.1.1-63.P1.el6.centos.x86_64.
>>
>> What is a little unusual is that webmin is used to manage the dhcp 
>> server, for the most part it works for our environment.
>>
>> Yesterday, I got a nagios alert that the server was no longer 
>> available.  This nagios server is on the same subnet as the server so 
>> there was no weird firewall routing issues involved.  With the help of 
>> the networking guys, we found that another machine took the IP address 
>> of our DHCP server.  This happened late July this year and it ended up 
>> being a human error, the person spinning up a machine on this network 
>> assigned a static IP address to their machine that was the same IP as 
>> our server, so we thought someone did it again.
>>
>> The difference this time is that it seems like the DHCP server itself 
>> assigned its own IP address
>>
>> Here is a sample of that subnet declaration, with IPs changed to 
>> protect the innocent
>>
>> # XXXXXX Subnet
>> subnet 192.168.11.0 netmask 255.255.255.0 {
>>         range 192.168.11.10 10.254.11.10;
>>         option subnet-mask 255.255.255.0;
>>         default-lease-time 28800;
>>         option broadcast-address 192.168.11.255;
>>         option routers 192.168.11.254;
>>         option domain-name-servers 208.67.222.222 , 208.67.220.220;
>>         option domain-name "example.local";
>>         }
>>
>> The IP address of the DHCP server is 192.168.11.10, I personally would 
>> not do this, I would have not even had the DHCP server IP address in 
>> that range.  But please read on
>>
>> This is a rarely used subnet, so a machine appearing on this subnet is 
>> rare, in fact I thought this subnet did not have a dhcp declaration 
>> prior to me looking in to it.  Doesn't this log entry in 
>> /var/log/messages confirm it? (hostname was changed in this paste)
>>
>> Sep 12 10:02:12 linuxdhcpserver dhcpd: No subnet declaration for eth0 
>> (no IPv4 addresses).
>> Sep 12 10:02:12 linuxdhcpserver dhcpd: ** Ignoring requests on eth0.  
>> If this is not what
>> Sep 12 10:02:12 linuxdhcpserver dhcpd:    you want, please write a 
>> subnet declaration
>> Sep 12 10:02:12 linuxdhcpserver dhcpd:    in your dhcpd.conf file for 
>> the network segment
>> Sep 12 10:02:12 linuxdhcpserver dhcpd:    to which interface eth0 is 
>> attached. **
>>
>> When the service was restarted 3 hours later, that same message about 
>> no subnet declaration for eth0 did not appear.
>>
>> One reason we use webmin is so that non-linux folk (AKA people without 
>> the root password) can log in to an easy web interface is to manage 
>> the service that the Linux server does, in this case dhcp.
>>
>> But it also logs what they did, up to a certain point, I can tell who 
>> edited which subnet declarations but not the exact changes they did.
>>
>> From the webmin logs, until yesterday this subnet was not changed.
>>
>> From the command line I also ran last to see who logged in, it was 
>> either root, or a proper Linux server admin, and I admit that someone 
>> in this group could be holding back, I don't think we did anything via 
>> CLI.
>>
>> So I am at a loss, trying to figure out why a DHCP server would assign 
>> its own IP address (it is pingable, no iptables rules blocking ICMP), 
>> I thought conflict resolution would prevent it. If I am reading 
>> RFC1541 section 2.2 correctly.
>>
>> Did someone do a good job at cleaning up their tracks?  I don't think 
>> the effort or skill was there.  It would be easier to just admit they 
>> made a mistake.
>>
>> Was webmin not logging correctly?  I really dont recall this subnet 
>> being on this server, because I do recall seeing that message in the 
>> logs regarding no subnet declaration in the past.
>>
>> Couple solutions were proposed so this would not happen again, the 
>> biggest one is putting this server and its big brother nagios server 
>> on its lonesome VLAN/subnet and restrict anything else from being on 
>> this subnet.  Seems overkill but this IP hijack happened twice within 
>> 60 days when it has been fine for years.
>>
>> Thank you,
>>
>> Larry Apolonio
>>
>> Although I have been speaking English for a while now, I still have 
>> problems articulating my thoughts, thank you for your patience.
>>
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
> 
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list