DHCP server configuration

Understanding DHCP Server Roles

A DHCP server automates IP address and network configuration assignment. In this chapter, you focus on:

Installing a DHCP server daemon
Designing scope(s) and options
Implementing reservations and overrides
Integrating with DNS
Testing and troubleshooting

The concepts of DHCP itself are assumed known from the parent chapter.

Most examples below use ISC DHCP (isc-dhcp-server / dhcpd) and Kea DHCP, as they are widely used on Linux servers. Adapt paths and service names to your distribution.

Planning Your DHCP Design

Before editing configuration files, decide:

Which interfaces will serve DHCP
Example: ens160 on 192.168.10.0/24 is your internal LAN; ens192 is WAN and must never serve DHCP.
Address ranges (pools) per subnet:

Network address and mask (e.g. 192.168.10.0/24)
Gateway (router) address (e.g. 192.168.10.1)
Dynamic pool (e.g. 192.168.10.100–192.168.10.200)
Reserved/static addresses outside the pool (e.g. 192.168.10.10–50)

Lease times:

Short for highly mobile or guest networks (e.g. 1–4 hours)
Longer for stable environments (e.g. 1–7 days)

DNS integration:

Use internal DNS servers?
Dynamic updates to DNS (DDNS) needed?

Security considerations:

Which VLANs/subnets should receive DHCP?
Do you need to restrict based on MACs / classes?
Are there DHCP relays between segments?

This planning directly shapes your server configuration.

Installing a DHCP Server

ISC DHCP (dhcpd)

On Debian/Ubuntu:

sudo apt update
sudo apt install isc-dhcp-server

On RHEL/CentOS/Rocky/Fedora:

sudo dnf install dhcp-server

Key files:

Main config: /etc/dhcp/dhcpd.conf
Default/daemon options (Debian/Ubuntu): /etc/default/isc-dhcp-server
Service: dhcpd.service or isc-dhcp-server.service

Kea DHCP

Kea is the modern replacement from ISC, with JSON configuration and hook architecture.

On many distros:

sudo apt install kea-dhcp4-server kea-dhcp6-server   # Debian/Ubuntu
sudo dnf install kea-dhcp4 kea-dhcp6                 # RHEL/Fedora (packages may differ)

Key files:

IPv4: /etc/kea/kea-dhcp4.conf
IPv6: /etc/kea/kea-dhcp6.conf
Service: kea-dhcp4.service, kea-dhcp6.service

The rest of this chapter focuses mainly on IPv4; IPv6 is configured similarly but with different options.

Basic ISC DHCP Configuration

Global Settings

Typical /etc/dhcp/dhcpd.conf skeleton:

option domain-name "example.local";
option domain-name-servers 192.168.10.5, 192.168.10.6;
default-lease-time 600;      # 10 minutes
max-lease-time 7200;         # 2 hours
authoritative;
log-facility local7;

Key directives:

option domain-name – DNS suffix clients append to short names.
option domain-name-servers – DNS servers for clients.
default-lease-time / max-lease-time – lease duration in seconds.
authoritative; – declare this server authoritative for the subnets it serves; prevents clients from waiting on other DHCP answers.
log-facility – where syslog/journald logs go (distribution-specific).

Defining a Subnet and Pool

Example for 192.168.10.0/24:

subnet 192.168.10.0 netmask 255.255.255.0 {
    option routers                 192.168.10.1;
    option subnet-mask             255.255.255.0;
    option broadcast-address       192.168.10.255;
    option domain-search           "example.local";
    option domain-name-servers     192.168.10.5, 192.168.10.6;
    default-lease-time             1800;    # Override global (30 minutes)
    max-lease-time                 7200;
    pool {
        range 192.168.10.100 192.168.10.200;
        allow unknown-clients;
    }
}

Elements:

subnet – defines the network segment.
option routers – default gateway for that subnet.
pool – address range and admission rules for clients.

You can override global options inside subnet blocks for specific networks.

Binding to Interfaces

On Debian/Ubuntu, /etc/default/isc-dhcp-server:

INTERFACESv4="ens160"
INTERFACESv6=""

On RHEL-based systems, you often specify interfaces in the service unit or use the -4 -cf options via /etc/sysconfig/dhcpd. Otherwise, dhcpd listens on all interfaces with IPv4 addresses and valid subnets defined in dhcpd.conf.

Always ensure DHCP is not listening on WAN-facing or untrusted interfaces.

DHCP Reservations (Static Leases)

Reservations tie a specific MAC address to a fixed IP within a subnet. Example:

host fileserver {
    hardware ethernet 00:11:22:33:44:55;
    fixed-address 192.168.10.20;
    option host-name "fileserver";
}

Guidelines:

Place host declarations either inside the subnet block or at global scope; behavior varies slightly but is valid.
Reserved IPs should:

Be inside the subnet
Not be inside the dynamic range pool (to avoid conflicts)

You can also override options per host:

host printer1 {
    hardware ethernet 00:aa:bb:cc:dd:ee;
    fixed-address 192.168.10.30;
    option routers 192.168.10.254;   # special gateway
}

Controlling Who Gets an Address

ISC DHCP allows access-control and policy:

Allow/Deny Unknown Clients

Inside a pool:

pool {
    range 192.168.10.100 192.168.10.150;
    allow unknown-clients;
}

Or to only serve known (reserved) clients:

pool {
    range 192.168.10.100 192.168.10.150;
    deny unknown-clients;
}

Using Classes

You can classify clients based on vendor, user class, or custom options:

class "ip-phones" {
    match if substring (option vendor-class-identifier, 0, 9) = "IP-PHONE-";
}
subnet 192.168.10.0 netmask 255.255.255.0 {
    pool {
        range 192.168.10.100 192.168.10.150;
        allow members of "ip-phones";
    }
    pool {
        range 192.168.10.160 192.168.10.200;
        deny members of "ip-phones";
    }
}

This enables separate pools and options per device type.

Option Customization

Commonly used options:

option ntp-servers 192.168.10.5;
option sip-server code 120 = ip-address;    # custom option

To define a non-standard option:

option space myvendor;
option myvendor.myopt code 1 = ip-address;
class "myvendor" {
    match if option vendor-class-identifier = "MyVendorDevice";
    option myvendor.myopt 192.168.10.50;
}

Use this when integrating with specialized equipment (phones, thin clients, etc.) that expect vendor-specific options.

DHCP and VLANs / Relays

Often the DHCP server is not directly on the client subnet. A DHCP relay (typically on a Layer 3 switch or router) forwards client broadcasts (UDP 67/68) to your server’s unicast address.

Server configuration:

Create subnet blocks for each client network, even if no IP is configured on your server for those networks.

Example:

# DHCP server has IP only on 10.0.0.10
# Clients on 192.168.20.0/24 via relay
subnet 192.168.20.0 netmask 255.255.255.0 {
    option routers 192.168.20.1;
    range 192.168.20.50 192.168.20.150;
}

The relay’s IP in that subnet (e.g. 192.168.20.1) is used as the GIADDR; DHCP server uses this to know which subnet block applies.

On the relay device, configure something like “ip helper-address 10.0.0.10” pointing to your DHCP server.

Dynamic DNS (DDNS) Integration

To have DHCP dynamically create and update A/PTR records in DNS:

Basic ISC DHCP DDNS Setup

In dhcpd.conf:

ddns-update-style interim;
update-static-leases on;
ddns-domainname "example.local.";
ddns-rev-domainname "in-addr.arpa.";
zone example.local. {
    primary 192.168.10.5;
    key dhcp-update-key;
}
zone 10.168.192.in-addr.arpa. {
    primary 192.168.10.5;
    key dhcp-update-key;
}

And define a TSIG key:

key dhcp-update-key {
    algorithm hmac-sha256;
    secret "base64encodedsecret==";
}

Your DNS server (e.g. BIND) must be configured with the same key and ACLs allowing updates from the DHCP server.

Hostname Handling

Clients send a hostname via DHCP option 12 / FQDN options. Server can:

Register the hostname in example.local
Update PTR records for reverse lookups

Consistency requires properly configured client hostnames and DHCP options; behavior can vary by OS.

Kea DHCP4: JSON-Based Configuration

Kea uses a single JSON file (commonly /etc/kea/kea-dhcp4.conf). Minimal example:

{
  "Dhcp4": {
    "interfaces-config": {
      "interfaces": [ "ens160" ]
    },
    "lease-database": {
      "type": "memfile",
      "lfc-interval": 3600
    },
    "valid-lifetime": 1800,
    "renew-timer": 900,
    "rebind-timer": 1500,
    "option-data": [
      {
        "name": "domain-name-servers",
        "data": "192.168.10.5, 192.168.10.6"
      },
      {
        "name": "domain-name",
        "data": "example.local"
      }
    ],
    "subnet4": [
      {
        "subnet": "192.168.10.0/24",
        "pools": [
          { "pool": "192.168.10.100 - 192.168.10.200" }
        ],
        "option-data": [
          { "name": "routers", "data": "192.168.10.1" }
        ],
        "reservations": [
          {
            "hw-address": "00:11:22:33:44:55",
            "ip-address": "192.168.10.20",
            "hostname": "fileserver"
          }
        ]
      }
    ]
  }
}

Highlights:

interfaces-config.interfaces limits which NICs serve DHCP.
lease-database can be memfile, mysql, postgresql, etc.
subnet4 holds pools and per-subnet options.
reservations are embedded under each subnet or can be external via DB.

Kea also supports DDNS, high availability, and control via kea-ctrl-agent; these are configured with additional JSON sections and often a separate kea-dhcp-ddns.conf.

Service Management, Testing, and Validation

Enable and Start the Service

Using systemd (name depends on distro):

sudo systemctl enable --now isc-dhcp-server
# or
sudo systemctl enable --now dhcpd
# or
sudo systemctl enable --now kea-dhcp4

Validate Configuration

ISC DHCP:

sudo dhcpd -t -cf /etc/dhcp/dhcpd.conf

Kea:

sudo kea-dhcp4 -t -c /etc/kea/kea-dhcp4.conf

Fix any syntax errors reported before restarting the service.

Logs

Check logs for lease assignments and errors:

sudo journalctl -u isc-dhcp-server
sudo journalctl -u dhcpd
sudo journalctl -u kea-dhcp4

Or distribution’s syslog (e.g. /var/log/syslog, /var/log/messages).

Packet-Level Testing

From a client network:

Ensure client is configured for DHCP.
Watch server logs as it requests a lease.

Or capture traffic on the server:

sudo tcpdump -ni ens160 port 67 or port 68

You should see DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK exchanges.

Common Pitfalls and Troubleshooting Tips

No response to clients

Service not running or bound to wrong interface.
Firewall blocking UDP 67/68.
Missing/incorrect subnet declaration for the client’s network (especially with relays).

Clients get APIPA / 169.254.x.x

No valid DHCP offer received.
Check logs for “No free leases” or “not authoritative”.

Wrong gateway/DNS

Misconfigured option routers or option domain-name-servers in the relevant subnet block.

Address conflicts

Reserved IP inside the dynamic range.
Multiple DHCP servers on the same network (check switches/routers for embedded DHCP features).

DDNS failing

TSIG key mismatch or missing ACLs on DNS server.
Incorrect zone or reverse zone names.

Systematic use of config validation, logs, and packet captures will quickly narrow down most DHCP issues.

Hardening and Best Practices

Run DHCP only on internal/VLAN interfaces.
Use DHCP relay instead of placing servers in every VLAN.
Prefer reservations for critical infrastructure instead of static configuration on the host, so IPs remain centrally managed.
Keep clear documentation of:

Subnets, pools, reservations
Lease times
Dependencies on DHCP options (phones, PXE, etc.)

Consider high availability or failover features (Kea or ISC failover) for production environments; avoid single points of failure.

Configured carefully, a DHCP server becomes a robust, low-touch foundation service for your network.

Comments

Please login to add a comment.

Don't have an account? Register now!