<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font color="#993300"><tt>The IP address of the DHCP server is
192.168.11.10</tt><tt><br>
</tt><tt> range 192.168.11.10 <b>10.254.11.10</b>;</tt><tt><br>
</tt></font>You configured it to assign it's own address.<br>
<br>
Also your rage ending address is outside your subnet:<br>
<font color="#993300"><tt> option subnet-mask
255.255.255.0;
</tt><tt><br>
</tt><tt>
</tt></font><br>
Bill<br>
</p>
<div class="moz-cite-prefix">On 9/16/2019 9:31 PM, Larry Apolonio
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:56e709be-b854-fe02-c10c-3f108c200f0b@rh73.com">
<br>
All,
<br>
<br>
I have a weird problem that I am trying to solve.
<br>
<br>
In short, for those who don't want to read the details, I am
trying to figure out why the DHCP server assigned its own IP
address to another device.
<br>
<br>
<br>
My dhcp server is running on CentOS 6.10 and is the regular RPM
that comes with that distribution
dhcp-4.1.1-63.P1.el6.centos.x86_64.
<br>
<br>
What is a little unusual is that webmin is used to manage the dhcp
server, for the most part it works for our environment.
<br>
<br>
Yesterday, I got a nagios alert that the server was no longer
available. This nagios server is on the same subnet as the server
so there was no weird firewall routing issues involved. With the
help of the networking guys, we found that another machine took
the IP address of our DHCP server. This happened late July this
year and it ended up being a human error, the person spinning up a
machine on this network assigned a static IP address to their
machine that was the same IP as our server, so we thought someone
did it again.
<br>
<br>
The difference this time is that it seems like the DHCP server
itself assigned its own IP address
<br>
<br>
Here is a sample of that subnet declaration, with IPs changed to
protect the innocent
<br>
<br>
# XXXXXX Subnet
<br>
subnet 192.168.11.0 netmask 255.255.255.0 {
<br>
range 192.168.11.10 10.254.11.10;
<br>
option subnet-mask 255.255.255.0;
<br>
default-lease-time 28800;
<br>
option broadcast-address 192.168.11.255;
<br>
option routers 192.168.11.254;
<br>
option domain-name-servers 208.67.222.222 ,
208.67.220.220;
<br>
option domain-name "example.local";
<br>
}
<br>
<br>
The IP address of the DHCP server is 192.168.11.10, I personally
would not do this, I would have not even had the DHCP server IP
address in that range. But please read on
<br>
<br>
This is a rarely used subnet, so a machine appearing on this
subnet is rare, in fact I thought this subnet did not have a dhcp
declaration prior to me looking in to it. Doesn't this log entry
in /var/log/messages confirm it? (hostname was changed in this
paste)
<br>
<br>
Sep 12 10:02:12 linuxdhcpserver dhcpd: No subnet declaration for
eth0 (no IPv4 addresses).
<br>
Sep 12 10:02:12 linuxdhcpserver dhcpd: ** Ignoring requests on
eth0. If this is not what
<br>
Sep 12 10:02:12 linuxdhcpserver dhcpd: you want, please write a
subnet declaration
<br>
Sep 12 10:02:12 linuxdhcpserver dhcpd: in your dhcpd.conf file
for the network segment
<br>
Sep 12 10:02:12 linuxdhcpserver dhcpd: to which interface eth0
is attached. **
<br>
<br>
When the service was restarted 3 hours later, that same message
about no subnet declaration for eth0 did not appear.
<br>
<br>
One reason we use webmin is so that non-linux folk (AKA people
without the root password) can log in to an easy web interface is
to manage the service that the Linux server does, in this case
dhcp.
<br>
<br>
But it also logs what they did, up to a certain point, I can tell
who edited which subnet declarations but not the exact changes
they did.
<br>
<br>
From the webmin logs, until yesterday this subnet was not changed.
<br>
<br>
From the command line I also ran last to see who logged in, it was
either root, or a proper Linux server admin, and I admit that
someone in this group could be holding back, I don't think we did
anything via CLI.
<br>
<br>
So I am at a loss, trying to figure out why a DHCP server would
assign its own IP address (it is pingable, no iptables rules
blocking ICMP), I thought conflict resolution would prevent it. If
I am reading RFC1541 section 2.2 correctly.
<br>
<br>
Did someone do a good job at cleaning up their tracks? I don't
think the effort or skill was there. It would be easier to just
admit they made a mistake.
<br>
<br>
Was webmin not logging correctly? I really dont recall this
subnet being on this server, because I do recall seeing that
message in the logs regarding no subnet declaration in the past.
<br>
<br>
Couple solutions were proposed so this would not happen again, the
biggest one is putting this server and its big brother nagios
server on its lonesome VLAN/subnet and restrict anything else from
being on this subnet. Seems overkill but this IP hijack happened
twice within 60 days when it has been fine for years.
<br>
<br>
Thank you,
<br>
<br>
Larry Apolonio
<br>
<br>
Although I have been speaking English for a while now, I still
have problems articulating my thoughts, thank you for your
patience.
<br>
<br>
<br>
_______________________________________________
<br>
dhcp-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a>
<br>
</blockquote>
</body>
</html>