Building a DHCP server - Linux Tutorial

- You can use any Linux machine as a DHCP server on your network. Stay tuned, we'll show you how to set it up. You are watching ITProTV. (upbeat music) (whooshing) Welcome back for more L Pick Two. I'm here with Don and today's episode is all about building a DHCP server. So what do we need to know before we kind of jump into this episode? - Well, we're going to tackle a few different things. We're going to do the normal stuff, getting the DHCP server installed. Then we'll take a look at a basic configuration and what it takes to really just get this up and running and serving IP addresses on your network DCP is really important. So we need to make sure this is a stable, reliable service. And you'll see it's actually pretty easy to do. - So for starters, what software do we need for this? - Alright, well, most Linux distributions are not going to have DHCP installed by default. They'll have a DHCP client, but not a DHCP server. So we do have to install something. And the defacto standard for DHCP is the ISCDHCP server. Now I realize I'm throwing out a lot of acronyms here. So let me back up just a little bit here. If you're not familiar with DHCP, it's the Dynamic Host Configuration Protocol. But if you've made it all the way here to L Pick Two, the odds are, you know what that is, right? Just a system that's dynamically handing out IP addresses to clients on the network. We know don't want that installed by default because every Linux box that comes up would our handing out wrong addresses and that would just wreak havoc everywhere. So we need to get it installed. Now the ISC, if you're not familiar with them, let me bring up their webpage real quick. The ISC is the Internet Systems Consortium and they've taken over several open source projects that deal with network infrastructure. DHCP just happens to be one of them. So the ISCDHCP server is the standard DHCP server found in Red Hat, Cintas, Abuntu, Debian, Mint, pretty much every distro that's out there. There are other dhcpdemons available, but ISC's really kind of got the main one. On some distros they'll just refer to this as DHCP or DHCPD in some cases. But in Ubuntu and Debian, they actually refer to it as the ISCDHP server. It's very clear that that's what it is. So if we want to get up and going with DHCP, we just need to get that installed. Let me jump over to my terminal and I'll show you how easy that is. So I'm on Ubuntu 20.04 and if I want to install it, I can just say sudo apt install ISC-DHCP-server like that. It's going to find it. There's not a whole lot to it, it's a very simple service, I'll just say yes. And that's going to get that one installed. On some distros it'll automatically start, on others, it won't. And I actually prefer it not to start because there's certain errors that can happen before we configure it. So it's usually a good idea not to start it right away, go and do some of your other configuration and then start it up afterwards. But otherwise we've just installed it. - So what's the minimum configuration that we need to get started? - So the minimum thing that DHCP needs is an IP range, right? So we just need a range of IPS that we can hand out, but that range of IPS needs to match up with an IP address on a network interface on our server. So, you know, we've got to be able to communicate on the same network that we're issuing out addresses. So that's kind of an important thing that we need to have. And to do all this, we need a configuration file. Now the configuration file follows its own little syntax. It's somewhat unique, it's frustrating is what it is. It's a crazy type thing. But if you know what to put in, there's actually a very small amount of commands that you need. But let me show you when we installed it, it actually creates an example file for us. If you go into /etc/ or not etc, /usr/share/doc, this is where a lot of documentation for our services ends up. And you'll see that the DHCP server has its own folder in here, which is ISC-DHCP-server. And if you poke around in here, you'll find a number of different files including the examples folder. And inside of examples we'll find dhcpd.conf.example. Now some people on the internet will say, "just copy this file, copy it right over to your config and then use it". But you'll typically find this has a lot of stuff in it that you just don't need. And let me show you here, I'm going to list that file so we can look at it and you'll see it has a ton of stuff in there, all heavily documented. So while you could copy this over, it's usually better just to create one from scratch. But this gives us the guidance of what we need to put in our configuration so that we can get it set up. As you look at it though, you'll see where it's calling out the various things that we need to create like an IP range. So here's an example of an IP range. They're giving out 10.254.239.10 all the way through 10.254.239.20, small 11 IPs. That's what they're handing out. They need to have a matching interface, a physical interface that matches up with that to be able to issue those IPS. So typically you're going to have that already. You just need to know what yours is. To find out what ranges you've got on your server, You can just run IP address or IP A and you'll get a list of the networks you're connected to. I'm connected to the 10.222.0 network and the 172.16.1 network. So I can hand out IP addresses for either of those ranges. I just need to do the configuration for it. - So where does that configuration need to go? - Okay, so that that sample configuration I showed you, that doesn't get read. So it's in the wrong spot. The right spot for it is in /etc/dhcp. So let me jump over to that folder and looking at it, I can actually see that we've got a dhcpd.conf file right there. So that's the configuration. There's also a dhcpd6.conf and that's for IPV6's version of DHCP. Now when somebody's kind of just getting started with IPV6, it's really easy to take our IPV4 knowledge and apply it to IPV6. And that's not always right. This is an example of where that would be wrong. Very few people use DHCP version six. IPV6 has its own way of doing automatic addressing and it doesn't require a DHCP server to do it. We usually use router advertisements for that. So it's rare that you'll set up a DHCP server for IPV6, but for IPV4 it's a given, right? So on the exam you're going to see IPV4 for this one and that dhcpd.conf file, that's the one that we want. Now if you look at it might actually be just a copy of that example file. And so you might see quite a bit of documentation that's in there or it might be blank depending on your distro. Some of them do start out as blank. What I will normally do is take what's in here and just move it to a different file. So I'm going to do a sudo mv dhcpd.conf and I'm going to move that to dhcpd.conf.bak just to get it out of the way. And then from here we can do a sudoedit dhcpd.conf and we can create a nice new blank file that we're just putting in the information that we need and get that kind of in place. So all I really need, like let me just give you a sample range here. If I want to serve up addresses on the 172.16 network, then I would come in and say subnet 172.16.1.0, that's my network. And then I would say netmask 255.255.255.0. That's the subnet mask for that network. I'll do a curly brace to open up the configuration options inside of this subnet. And then you can either do like double spaces or a tab, whatever makes you happy. And in here I'll put in my first range, I'll say range. And I'm going to hand out 172.16.1.100 space to 172.16.1.200. So I'm going to hand out 101 IPs. So I put that block in there, throw a semicolon at the end of it 'cause that line is done and then close that with a curly brace right there. So once all that's in place now I've defined that range and the DHCP server knows that it can hand it out. And my config file is a lot easier to read because it just has the block that I need. And I could add my own comments in if I wanted, maybe this is a like a student lab, so I could do a pound symbol to do a comment and say this is my student lab network and now when I look at this config file in the future, I'll remember what that range is and be able to differentiate it from other things. - So that's pretty simple. Can we kind of do more with this? - Yeah and you likely will. So I just did the bare minimum right there, right, that's the minimum configuration to make DHCPD happy. But if somebody requests an address right now, they're going to get this address and then what? Well they're missing some things. They probably want their default gateway or the router that they talk to, they probably want some name servers, right. There's other options that we want to hand out, but they're exactly what I just said. Options, we don't have to have them, but most people expect them. Most computers are going to want those extra things. So some of the other things that we'll add in here on the range itself, we will usually add a few different values. So I'm going to come through and just do some of them. We'll usually want to advertise out what our net mask is. If we don't advertise a subnet mask, it's going to try and calculate it on its own. It's going to use the old class full boundaries. So it would see my 172.16 network and assume it was a class B or 255.255.0.0 network. And that's not what I've got. I've actually got what would be a class C or a 24 bit subnet. So I need to advertise that out so it knows. I'll just say option subnet - mask and then I'll punch in that subnet mask and that way I advertise that out to clients when they connect too. And notice I'm doing a semicolon after each option, I need to do a semicolon so it knows I'm dividing from one to the next. Another option would be the gateway. So I'll say option routers and then I'll punch in with a router that they're going to use. Mine will be 172.16.1.1. That's their default gateway. When they want to access other networks, they kind of need to know that. So we'll punch that in. I might do DNS servers. DDNS servers are a little bit different because I'll typically have more than one. Usually like with a gateway, you've only got one with a subnet, you always have one. But with name servers we have multiple. So I'll say option domain-name-servers, and then I'll specify each server separated by a comma. So we'll use Google's 8.8.8.8 comma 8.8.4.4, semicolon. The comma lets it know I'm about to provide multiple values. Semi-colon lets me know that it's the end of the list. There's other things you might give out like a DNS search suffix, right? So if somebody does a search for a single name, what domain do we append to the end of that? We can say option domain-search and then a name. This one we do have to put in quotes so it knows that it's a text name. I'll do lab ITProTV followed by a semicolon. And so there's like a block of options right there. These are all options that apply to the range, but I might have some options that I apply to the entire server. For example, the lease time when somebody gets an address, how long is that lease valid? Is it valid for a day, a month, a year? It's up to us. And how much our network changes. We usually want it to be something somewhat short. So I might do DHCP leases that are only eight hours. Well the DHCP server has default values that are in effect right now. I don't know what they are. They're defaults, right? So it is whatever it is, I might want to override that. So I do know what it is. I want it to be eight hours. Maybe that is the default. I don't know, I'll just hard set it. So I'll go up here to the top of my config file and I'm going to add a new just comment here and I'll label it as general settings. I'm just doing this so I can remember. I don't have to do that. And then I'll add in a few more things. I'll say default-lease-time and then how long I want a default lease to be. And this is time in seconds. So if I want it to be eight hours, how many seconds are in eight hours? Well oddly enough, it is 28,800. I did not do that math in my head. I had it written in my notes, but that is eight hours. And then I might want to set a maximum lease time 'cause people can request a longer lease if they want. So I'll say max-lease-time and maybe I'll set my maximum lease time at 24 hours. So 24 hours is 86,400 seconds. Helps to have a little cheat sheet and so that's how many seconds that one is. So now I've set those apart. I've got a much more detailed range and I've got some lease time values that I've adjusted. This is a fairly robust configuration so it covers the various settings that I need. And now I really look like more of a production ready DHCP server. - And now that we're all configured, how do we go about starting it up? - Oh yeah, so now we've got a good configuration so we should be ready to start it up. Now I'm saying should and there's a reason for that. On Ubuntu, so if you're on an Ubuntu system like I am, yeah it's ready to start up. You've got no problem if you're on Fedora, ready to start up, no problem. But if you're on Red Hat Enterprise Linux like RHEL7, RHEL7 actually has a little bit of an issue where it won't start unless the DHCP database exists. So let me show you how to check that. So I'm going to get out of that configuration file and I'm going to go into, let's see, it is buried in /var/, we got to find it. Now I got to remember where it is. It is in var/lib. There we go. Hard to remember/var/lib/dhcp. If you take a look in there, you'll see several files or maybe it won't, maybe it'll be empty. You should see a file called dhcpd.leases and if the service is running, you'll see a second file called dhcpd.leases with a tilled at the end of it letting you know that it's got a temporary file, right? Because it's actually maintaining the leases in RAM and periodically writing 'em to disk. And so that's why these files exist. If those files exist, you're ready to start up. Not a problem. But on some Linux boxes those files don't get created automatically and if the files are missing, you'll get an error when you try to start it up. And if that's the case, all you need to do is sudo touch dhcpd.leases and that'll create that file and then the service will start right up. RHEL8 does that fine RHEL7 doesn't. So that's why I just want to mention it here for you out in real life land. But assuming it's all in there, you can do a sudo system CTL enable--now ISC-DHCP-server. And when you run that, it's going to turn the service on and it's going to start it up. There's a chance it's already running, mine was already running. So I'm going to follow that up with a just double safe sudo system CTL restart ISCDHCP server and that's going to make sure that it loads all the configuration changes that I made. But at this point we're up, we're running, we should be in pretty good shape. There's one more thing that might be causing us a problem. If you've got a firewall, it might be blocking DHCP requests. So do a quick check of that. I've got UFW, so let me do a sudo UFW status. I can see that UFW is blocking DHCP, so I need to allow that through. So to do that really quickly you can just say psdo UFW allow 67/UDP DHCP uses port 67. It's all UDP, this is all broadcast traffic. So that's going to allow it and you may need to follow it up also with sudo UFW allow boot PS and that's the old boot P or the boot protocol that lets you do network boots. They rely on a lot of what dhcp does as well. So I'm going to add that one with those two rules in place, now we've got it and we're ready to rock it. In fact, when I ran that boot PS CO, it says skipping adding existing rule. So it bumped into what I've already got and so I am okay if I take a look at that status, I can see 67 UDP is all that was really added. Now I'll receive DHCP requests and answer back with IPS. I'm up and running. - And are there tools for monitoring DHCP just to make sure that it's working right? - Yeah, there's a few ways. I mean you could just go to a client and try and connect, right? That's one way, but it requires you exerting effort, right? So there's some things we could do right here on this server. There is an older command that works on some distros. I actually don't think it works on Ubuntu. Let me try it out here, which is sudo DHCPD config test. That's going to take a look at your DHCP configuration and look for errors. Oh, it did actually work, so it did a quick scan. Oh wow, glad we glad we scanned this one. I have a typo. And so it helped find that typo right here. Option I was supposed to type domain-search. I had a mistake it found it. In a perfect world, I would've run this before starting the DHCP server or restarting it because it likely ran into an error, which I could also check by doing sudo system CTL status, ISC-DHCP-server. And when I look at it, big red warning right there failed, right? So we had a problem. It's actually not up and running. It's great for the episode, I didn't do that on purpose. So let's go and fix that real quick. I'll do a sudo edit/etc/dhcp/dhcpd.conf and I'll go find my mistake right here. Domain search is spelled wrong so I'll fix that. I'm going to get out of my configuration. I'm going to rerun sudo dhcpd config test and it's going to run through and check. Looks like everything is good. It says not configured to listen on any interface, but that's okay for what I've got right now. And so it should be ready to start. So I'm going to go and do a sudo system CTL restart, ISC-dhcp-server that's going to restart. And we'll take a look at our status and at this point we should be up and running. Yes, I can see that it is active and running. Now I want to point out one real quick thing is I am getting an error, see no subnet declaration for ENPOS5. That's my network interface. Notice that's the 222.0.51 network. Well I have a range that's 172.16.1, so that's okay. I want to hand out IPS but for a different interface. So it's connected to the other interface, not this one. So it's just warning, I don't have any subnets that match that interface and that's okay. So some of these error you can ignore. Some are a little more important than others, but you can read through here. And also depending on what network configuration software you're using, it might not be able to see that you've got a static address. When you do so you might see messages there as well, but a lot of those are able to be disregarded. Just read through and check and if there's something really critical, you'll see it, especially if the service doesn't start like mine didn't originally. - That's awesome. And in this episode we were able to look at quite a bit, including a typo that you say was unintentional, but I think you did that on purpose. We got to look at installing and configuring a DHCP server on Linux. We got to look at creating and activating a DHCP address pool and Don showed us how to monitor DHCP and make sure that it's working correctly. But don't go away, we've got more up and coming up in the next episode. We'll see you next time. Thank you for watching ITProTV. (whooshing)