howto configure DHCP to reject renewal of lease

Gilbert Coles gilbertx07 at
Thu Oct 12 09:06:52 UTC 2006

Simon, you are definitely right and I thought about this all along but as 
you say some obstinate heads exist in the world thinking that IP rotation is 
the only way and this answer of yours is my final blow - that the world's 
most popular DHCP daemon doesn't do it, translating to: don't you dare ask 
me the ip f*&king rotation question again...

Guess the traditional way of doing it for ISPs is using RADIUS and PPP auth 
since Radius tends to switch IPs but I was and still am against IP rotation 
- it destroys the notion of "always on" in the case of ISPs. So really mine 
was just a confirmation question.

Thanks and keep up the good work

>From: Simon Hobson <dhcp1 at>
>Reply-To: dhcp-users at
>To: dhcp-users at
>Subject: Re: howto configure DHCP to reject renewal of lease
>Date: Thu, 12 Oct 2006 09:54:32 +0100
>Gilbert Coles wrote:
> >What I'm trying to achieve is to configure the ISC dhcpd to give the 
> >(when it tries to renew its lease @T/2) a new IP address - to avoid 
> >the same IP for a long time.
>Why ?
> >Is this functionality available in v3.0.4 of the ISC dhcpd?
>No, it's the opposite of required functionality according to the RFC.
>It's a questions that's been asked before, and every time it's been
>from an ISP - usually expressed as "I don't think it's great but my
>management insists ...". The reason given has been to prevent users
>running servers on their accounts.
>Apologies in advance if this isn't the reason, but so far I don't
>think we've heard any other !
>If you look through the archives, you'll find it gets roughly the
>same response whenever it's asked - it's against the rfc, it's bad
>for the network AND for the internet, and no it isn't supported.
>Others have gone as far as to suggest that once your customers find
>out what you are doing then you deserve to lose them and go out of
>business and Darwinism will have removed another stupid ISP from the
>market !
>Why doesn't it work ? Simple, dynamic dns services which will allow
>dns to track changes in IP address very quickly. So accessing the
>server by dns entry will only break for a short time when the IP
>Why is it bad for your clients ? Every time their address changes,
>all their connections drop, and any downloads in progress will break.
>Imagine that you customer is downloading a large file, and gets to 4G
>of a 4.7G DVD image when this happens - natural response is to try it
>again and if their software doesn't properly support resumed
>downloads then they'll download the same 4G again - so that's 4G of
>wasted bandwidth usage ! If you rotation time is short enough they'll
>never get the file, but waste a lost of bandwidth in the process -
>this is bad for the Internet as a whole.
>Why is it bad for you ? Well with the above happening, you'll get a
>reputation for unreliable connections. When your customers find out
>why then you'll be pilloried for be so f***ing clueless ! Either way,
>no sensible customer is going to choose you (or remain with you)
>without some other compelling reason.
>If you wish to impose restrictions on what your customers can do with
>their connections then you should do it at the appropriate level. If
>you want to prevent them running (say) a web server, then filter
>traffic on port 80. It won't stop them running a server on another
>port, so you'll have to figure out how to stop that.
>Better still, ask yourselves if you REALLY have to prevent it - it's
>going to be a pain to prevent, why not simply impose
>bandwidth/traffic limits which are far easier to measures/control ?

More information about the dhcp-users mailing list