Latest lease entry not the one offered to the client

Simon Hobson dhcp1 at thehobsons.co.uk
Fri Aug 14 16:20:03 UTC 2020 

Klemen Sladic <gosturnca at gmail.com> wrote:

> Using ISC DHCP 4.3.5 server and client.
> DHCP server has these two entries in its dhcpd.leases (first lease at line 106, second at line 205):
> 
> lease 1.1.1.17 {
>   starts 4 2020/08/13 00:40:24;
>   ends 0 2020/08/23 00:40:24;
>   tstp 0 2020/08/23 00:40:24;
>   cltt 4 2020/08/13 00:40:24;
>   binding state active;
>   next binding state free;
>   rewind binding state free;
>   hardware ethernet 00:0d:ca:00:0f:dd;
>   set lease_mac = "0:d:ca:0:f:dd";
> }
> lease 1.1.1.28 {
>   starts 4 2020/08/13 03:03:13;
>   ends 0 2020/08/23 03:03:13;
>   tstp 0 2020/08/23 03:03:13;
>   cltt 4 2020/08/13 03:03:13;
>   binding state active;
>   next binding state free;
>   rewind binding state free;
>   hardware ethernet 00:0d:ca:00:0f:dd;
>   set lease_mac = "0:d:ca:0:f:dd";
> }

OK, the first observation is that neither has a client-ID - first thing anyone looks for is difference in Client-ID as that makes them different clients as far as the server is concerned.

> This made me think that 1.1.1.28 is the newest lease and should be the valid one for the client.

No, BOTH are valid for the client. Position in the file only matters where there are duplicate entries for an address - e.g. an address has been renewed and a new lease record written out.

> But if I do renew on the client it is being offered 1.1.1.17 (timestamps are in different zone, port is custom):
> 
> Aug 13 21:10:39 (none) daemon.info dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 17787
> Aug 13 21:10:39 (none) daemon.info dhclient: DHCPACK from 1.1.1.1
> Aug 13 21:10:41 (none) daemon.info dhclient: bound to 1.1.1.17 -- renewal in 392208 seconds.

So, what address did the client request ? The client can request any address, and normally if it's available then the server will lease it - it's one way a DoD attack can be done. If the client requested 1.1.1.17 then what you are seeing is normal operation.

> Since some of my applications rely on knowing valid DHCP client IPs, this is a problem.

In the general case, you need to allow for a client having more than one address leased.

> Am I misinterpreting the dhcpd.leases file? I thought DHCP server appends most recent leases at the end?

As above, you are misinterpreting the leases file.
When a lease file cleanup is done, the leases will be written out in an undocumented order - which appears to be by IP address. When **UPDATES** to leases are done, then the new version is appended to the file - so if you see two entries for the same lease then the later one in the file is the current one.

Simon

More information about the dhcp-users mailing list