Deny DHCP Address by MAC?

Glenn Satchell glenn.satchell at
Sat Jul 17 11:24:36 UTC 2010

The other way is to use a host statement, eg:

host "black1" {
     hardware ethernet 00:12:ba:1d:c1:b7;
     ignore booting;

I thought the difference between ignore and deny booting was that deny 
booting logs a message each time the client requests an address. If the 
client requests frequently this could fill your log file pretty quickly.

Note that the user can still manually configure an Ip address, so this 
is not a perfect solution.


On 07/17/10 06:38, Jeff Wieland wrote:
> What we usually do is to create a class called something like "black-hole",
> and then use subclasses to match on it. Something like:
> class "black-hole" {
> match substring (hardware, 1, 6);
> # deny booting;
> ignore booting;
> }
> subclass "black-hole" 00:12:ba:1d:c1:b7;
> subclass "black-hole" 00:12:df:b6:7b:e7;
> You can have as many of the "subclass" statements as you need. This uses an
> ignore booting command, which causes dhcpd to do nothing when it see that
> MAC address. If you comment out the "ignore booting" and uncomment the
> "deny booting", it will send an DHCPNAK (IIRC) to the client instead.
> Tim Evans wrote:
>> A .EDU with insecure offices, network outlets, and labs, is trying to
>> track down a rogue DHCP client on their network that also happens to
>> be infected with conficker.
>> They have a completely open DHCP setup (this is the entire dhcpd.conf
>> file):
>> ddns-update-style ad-hoc;
>> authoritative;
>> subnet netmask {
>> range;
>> option subnet-mask;
>> option broadcast-address;
>> option routers;
>> option domain-name-servers;
>> option domain-name "";
>> }
>> Any connected machine can get an address from the range specified in
>> the config file. Bouncing this one's lease merely results in it
>> getting a new one.
>> They know the rogue machine's MAC address, of course. Can they deny it
>> a DHCP address based only on the MAC? How? Thanks.

More information about the dhcp-users mailing list