Deny DHCP Address by MAC?

Jeff Wieland wieland at
Fri Jul 16 20:38:04 UTC 2010

What we usually do is to create a class called something like "black-hole",
and then use subclasses to match on it.  Something like:

class "black-hole" {
    match substring (hardware, 1, 6);
    # deny booting;
    ignore booting;
subclass "black-hole" 00:12:ba:1d:c1:b7;
subclass "black-hole" 00:12:df:b6:7b:e7;

You can have as many of the "subclass" statements as you need.  This uses an
ignore booting command, which causes dhcpd to do nothing when it see that
MAC address.  If you comment out the "ignore booting" and uncomment the
"deny booting", it will send an DHCPNAK (IIRC) to the client instead.

Tim Evans wrote:
> A .EDU with insecure offices, network outlets, and labs, is trying to 
> track down a rogue DHCP client on their network that also happens to 
> be infected with conficker.
> They have a completely open DHCP setup (this is the entire dhcpd.conf 
> file):
> ddns-update-style ad-hoc;
> authoritative;
> subnet netmask {
>  range;
>   option subnet-mask;
>   option broadcast-address;
>   option routers;
>   option domain-name-servers;
>   option domain-name "";
> }
> Any connected machine can get an address from the range specified in 
> the config file. Bouncing this one's lease merely results in it 
> getting a new one.
> They know the rogue machine's MAC address, of course.  Can they deny 
> it a DHCP address based only on the MAC? How? Thanks.

          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITN&S Data Networks
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)494-6620        |   West Lafayette, IN 47907-2115

More information about the dhcp-users mailing list