1.1. dhcpd --- DHCP server¶
1.1.1. Synopsis¶
dhcpd [ -p <port> ] [ -f ] [ -d ] [ -q ] [[-t] | [-T]] [[-4] | [-6]] [ -4o6 <port> ] [ -s <server> ] [ -cf <config-file> ] [ -lf <lease-file> ] [ -pf <pid-file> ] [ --no-pid ] [ -user <user> ] [ -group <group> ] [ -chroot <dir> ] [ -tf <trace-output-file> ] [ -play <trace-playback-file> ] [ <if0> ] [ ... <ifN> ]
dhcpd --version
1.1.2. Description¶
dhcpd implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached. BOOTP provides similar functionality, with certain restrictions.
1.1.3. Operation¶
The DHCP protocol allows a host which is unknown to the network administrator to be automatically assigned a new IP address out of a pool of IP addresses for its network. In order for this to work, the network administrator allocates address pools in each subnet and enters them into the dhcpd.conf(5) file.
There are two versions of the DHCP protocol DHCPv4 and DHCPv6. At startup the server may be started for one or the other via the -4 or -6 arguments.
On startup, dhcpd reads the dhcpd.conf(5) file and stores a list of available addresses on each subnet in memory. When a client requests an address using the DHCP protocol, dhcpd allocates an address for it. Each client is assigned a lease, which expires after an amount of time chosen by the administrator (by default, one day). Before leases expire, the clients to which leases are assigned are expected to renew them in order to continue to use the addresses. Once a lease has expired, the client to which that lease was assigned is no longer permitted to use the leased IP address.
In order to keep track of leases across system reboots and server restarts, dhcpd keeps a list of leases it has assigned in the dhcpd.leases(5) file. Before dhcpd grants a lease to a host, it records the lease in this file and makes sure that the contents of the file are flushed to disk. This ensures that even in the event of a system crash, dhcpd will not forget about a lease that it has assigned. On startup, after reading the dhcpd.conf(5) file, dhcpd reads the dhcpd.leases(5) file to refresh its memory about what leases have been assigned.
New leases are appended to the end of the dhcpd.leases(5)
file. In order to prevent the file from becoming arbitrarily large, from
time to time dhcpd creates a new dhcpd.leases(5)
file from its in-core lease database. Once this file has been written
to disk, the old file is renamed dhcpd.leases~, and the new file
is renamed dhcpd.leases. If the system crashes in the middle of
this process, whichever dhcpd.leases(5) file remains will
contain all the lease information, so there is no need for a special
crash recovery process.
BOOTP support is also provided by this server. Unlike DHCP, the BOOTP protocol does not provide a protocol for recovering dynamically-assigned addresses once they are no longer needed. It is still possible to dynamically assign addresses to BOOTP clients, but some administrative process for reclaiming addresses is required. By default, leases are granted to BOOTP clients in perpetuity, although the network administrator may set an earlier cutoff date or a shorter lease length for BOOTP leases if that makes sense.
BOOTP clients may also be served in the old standard way, which is to simply provide a declaration in the dhcpd.conf(5) file for each BOOTP client, permanently assigning an address to each client.
Whenever changes are made to the dhcpd.conf(5) file,
dhcpd must be restarted. To restart dhcpd, send a
SIGTERM signal to the process ID contained in
/run/lease/dhcpd.pid, and then re-invoke
dhcpd. Because the DHCP server database is not as lightweight
as a BOOTP database, dhcpd does not automatically restart
itself when it sees a change to the dhcpd.conf(5) file.
1.1.4. Command line¶
The names of the network interfaces on which dhcpd should listen for broadcasts may be specified on the command line. This should be done on systems where dhcpd is unable to identify non-broadcast interfaces, but should not be required on other systems. If no interface names are specified on the command line dhcpd will identify all network interfaces which are up, eliminating non-broadcast interfaces if possible, and listen for DHCP broadcasts on each interface.
1.1.5. Options¶
- -4o6 <port>¶
Participate in the DHCPv4 over DHCPv6 protocol specified by RFC 7341. This associates a DHCPv4 and a DHCPv6 server to allow the v4 server to receive v4 requests that were encapsulated in a v6 packet. Communication between the two servers is done on a pair of UDP sockets bound to ::1 <port> and <port> + 1. Both servers must be launched using the same <port> argument.
- -p <port>¶
The UDP port number on which dhcpd should listen. If unspecified dhcpd uses the default port of 67. This is mostly useful for debugging purposes.
- -s <address>¶
Specify an address or host name to which dhcpd should send replies rather than the broadcast address (255.255.255.255). This option is only supported in IPv4.
- -f¶
Force dhcpd to run as a foreground process instead of as a daemon in the background.
- -d¶
Send log messages to the standard error descriptor. This can be useful for debugging, and also where a complete log of all DHCP activity must be kept but syslogd is not reliable or otherwise cannot be used. Normally, dhcpd will log all output using the syslog(3) function with the log facility set to LOG_DAEMON. Note that
-dimplies-f(i.e., the daemon will not fork itself into the background).
- -q¶
Be quiet at startup. This suppresses the printing of the entire copyright message during startup.
- -t¶
Test the configuration file. The server tests the dhcpd.conf(5) file for correct syntax, but will not attempt to perform any network operations. This can be used to test a new configuration file automatically before installing it.
- -T¶
Test the lease file. The server tests the dhcpd.leases(5) file for correct syntax, but will not attempt to perform any network operations. This can be used to test a new lease file automatically before installing it.
- -user <user>¶
setuid(2) to <user> after completing privileged operations, such as creating sockets that listen on privileged ports. This also causes the lease file to be owned by <user>.
- -group <group>¶
setgid(2) to <group> after completing privileged operations such as creating sockets that listen on privileged ports. This also causes the lease file to be owned by <group>.
- -chroot <directory>¶
chroot(2) to <directory>.
Warning
This may occur before or after reading the configuration files depending on whether
--early-chrootis used.
- --early-chroot¶
If
-chrootis used, then perform the chroot(2) before reading the configuration files.
- -tf <trace-file>¶
Enable trace recording by specifying a file into which the entire startup state of the server and all the transactions it processes are logged.
- -play <trace-file>¶
Enable trace playback by specifying a file from which the entire startup state of the DHCP server and all the transactions it processed are read.
-playmust be specified with an alternate lease file, using-lfso that the DHCP server doesn't wipe out any existing lease file with its test data. The DHCP server will refuse to operate in playback mode unless an alternate lease file is specified.
- --version¶
Print version number and exit.
- -cf <config-file>¶
Specify path to the dhcpd.conf(5) configuration file.
Note
Because of the importance of using the same lease database at all times when running dhcpd in production, it is suggested that this option be used for testing lease files or database files in a non-production environment.
- -lf <lease-file>¶
Specify path to the dhcpd.leases(5) leases file.
Note
Because of the importance of using the same lease database at all times when running dhcpd in production, it is suggested that this option be used for testing lease files or database files in a non-production environment.
- -pf <pid-file>¶
Specify path to a file where the dhcpd process ID is written.
- --no-pid¶
Disable writing process ID files. By default, dhcpd will write a process ID file. If it is invoked with this option it will not check for an existing dhcpd process.
1.1.6. UDP and TCP ports¶
During operations the server may use multiple UDP and TCP ports to provide different functions. Which ports are used depends on the configuration in use. The following should provide an idea of what ports may be used.
Normally a DHCPv4 server will open a raw UDP socket to receive and send most DHCPv4 packets. It also opens a fallback UDP socket for use in sending unicast packets. Normally these will both use the well known port number for BOOTPS.
For each DHCPv4 failover peer listed in the configuration file there will be a TCP socket listening for connections on the ports specified in the configuration file. When the peer connects, there will be another socket for the established connection. For the established connection the side (primary or secondary) opening the connection will use a random port.
For DHCPv6 the server opens a UDP socket on the well known dhcpv6-server port.
The server opens an ICMP socket for doing ICMP Echo (ping) requests to check if addresses are in use.
If there is an omapi-port statement in the configuration file, then
the server will open a TCP socket on that port to listen for OMAPI
connections. When something connects another port will be used for the
established connection.
When DNS UPDATE is used, the server will open a v4 and a v6 UDP socket
on random ports. If the server is not configured to do DNS UPDATEs, the
ports will never be opened (ddns-update-style set to none in the
configuration file).
1.1.7. Configuration¶
The syntax of the dhcpd.conf(5) file is discussed separately. This section should be used as an overview of the configuration process, and the dhcpd.conf(5) documentation should be consulted for detailed reference information.
1.1.7.1. Subnets¶
dhcpd needs to know the subnet numbers and netmasks of all subnets for which it will be providing service. In addition, in order to dynamically allocate addresses, it must be assigned one or more ranges of addresses on each subnet which it can in turn assign to client hosts as they boot. Thus, a very simple configuration providing DHCP support might look like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.250;
}
Multiple address ranges may be specified like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.107;
range 239.252.197.113 239.252.197.250;
}
If a subnet will only be provided with BOOTP service and no dynamic
address assignment, the range clause can be left out entirely, but
the subnet statement must appear.
1.1.7.2. Lease time¶
DHCP leases can be assigned almost any duration from 0 seconds to infinity. What lease duration makes sense for any given subnet, or for any given installation, will vary depending on the kinds of hosts being served.
For example, in an office environment where systems are added from time to time and removed from time to time, but move relatively infrequently, it might make sense to allow lease durations of a month or more. In a final test environment on a manufacturing floor, it may make more sense to assign a maximum lease duration of 30 minutes --- enough time to go through a simple test procedure on a network appliance before packaging it up for delivery.
It is possible to specify two lease durations: the default duration that
will be assigned if a client doesn't ask for any particular lease
duration, and a maximum lease duration. These are specified as clauses
to the subnet command:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.107;
default-lease-time 600;
max-lease-time 7200;
}
This particular subnet declaration specifies a default lease time of
600 seconds (ten minutes), and a maximum lease time of 7200 seconds (two
hours). Other common values are 86400 (one day), 604800 (one week) and
2592000 (30 days).
Each subnet need not have the same lease --- in the case of an office environment and a manufacturing environment served by the same DHCP server, it might make sense to have widely disparate values for default and maximum lease times on each subnet.
1.1.7.3. BOOTP support¶
Each BOOTP client must be explicitly declared in the dhcpd.conf(5) file. A very basic client declaration will specify the client network interface's hardware address and the IP address to assign to that client. If the client needs to be able to load a boot file from the server, that file's name must be specified. A simple BOOTP client declaration might look like this:
host haagen {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 239.252.197.9;
filename "/tftpboot/haagen.boot";
}
1.1.7.4. Options¶
DHCP (and also BOOTP with Vendor Extensions) provide a mechanism whereby the server can provide the client with information about how to configure its network interface (e.g., subnet mask), and also how the client can access various network services (e.g., DNS, IP routers, and so on).
These options can be specified on a per-subnet basis, and for BOOTP clients, also on a per-client basis. In the event that a BOOTP client declaration specifies options that are also specified in its subnet declaration, the options specified in the client declaration take precedence. A reasonably complete DHCP configuration might look something like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.250;
default-lease-time 600 max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 239.252.197.255;
option routers 239.252.197.1;
option domain-name-servers 239.252.197.2, 239.252.197.3;
option domain-name "example.org";
}
A BOOTP host on that subnet that needs to be in a different domain and use a different DNS nameserver might be declared as follows:
host haagen {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 239.252.197.9;
filename "/tftpboot/haagen.boot";
option domain-name-servers 192.5.5.1;
option domain-name "example.com";
}
A more complete description of the configuration file syntax is provided in dhcpd.conf(5). A list of DHCP options are provided in dhcp-options(5).
1.1.8. OMAPI¶
dhcpd provides the capability to modify some of its configuration while it is running, without stopping it, modifying its database files, and restarting it. This capability is currently provided using OMAPI (Object Management Application Programming Interface) --- an API for manipulating remote objects. OMAPI clients connect to the dhcpd process using TCP/IP, authenticate, and can then examine the server's current status and make changes to it.
Rather than implementing the underlying OMAPI protocol directly, user programs should use the dhcpctl(5) API or omapi(5) itself. dhcpctl(5) is a wrapper that handles some of the housekeeping chores that OMAPI does not do automatically.
Warning
The above paragraph about dhcpctl(5) and omapi(5) should be replaced with a discussion of using omshell(1).
OMAPI exports objects, which can then be examined and modified. The DHCP server exports the following objects: lease, host, failover-state and group. Each object has a number of methods that are provided: lookup, create, and destroy. In addition, it is possible to look at attributes that are stored on objects, and in some cases to modify those attributes.
omshell(1) is a program that provides an interactive way to connect to, query, and possibly change dhcpd's state via OMAPI.
Warning
This section has to be rewritten, or moved to the developer documentation.
1.1.8.1. The lease object¶
Leases can't currently be created or destroyed, but they can be looked up to examine and modify their state.
Leases have the following attributes:
state <integer> [lookup, examine]
1 = free
2 = active
3 = expired
4 = released
5 = abandoned
6 = reset
7 = backup
8 = reserved
9 = bootp
ip-address <data> [lookup, examine]
The IP address of the lease.
dhcp-client-identifier <data> [lookup, examine, update]
The client identifier that the client used when it acquired the lease. Not all clients send client identifiers, so this may be empty.
client-hostname <data> [examine, update]
The value the client sent in the host-name option.
host <handle> [examine]
The host declaration associated with this lease, if any.
subnet <handle> [examine]
The subnet object associated with this lease (the subnet object is not currently supported).
pool <handle> [examine]
The pool object associated with this lease (the pool object is not currently supported).
billing-class <handle> [examine]
The handle to the class to which this lease is currently billed, if any (the class object is not currently supported).
hardware-address <data> [examine, update]
The hardware address (chaddr) field sent by the client when it acquired its lease.
hardware-type <integer> [examine, update]
The type of the network interface that the client reported when it acquired its lease.
ends <time> [examine]
The time when the lease's current state ends, as understood by the client.
tstp <time> [examine]
The time when the lease's current state ends, as understood by the server.
tsfp <time> [examine]
The adjusted time when the lease's current state ends, as understood by the failover peer (if there is no failover peer, this value is undefined). Generally this value is only adjusted for expired, released, or reset leases while the server is operating in partner-down state, and otherwise is simply the value supplied by the peer.
atsfp <time> [examine]
The actual tsfp value sent from the peer. This value is forgotten when a lease binding state change is made, to facilitate retransmission logic.
cltt <time> [examine]
The time of the last transaction with the client on this lease.
1.1.8.2. The host object¶
Hosts can be created, destroyed, looked up, examined and modified. If a host declaration is created or deleted using OMAPI, that information will be recorded in the dhcpd.leases(5) file. It is permissible to delete host declarations that are declared in the dhcpd.conf(5) file.
Hosts have the following attributes:
name <data> [lookup, examine, modify]
The name of the host declaration. This name must be unique among all host declarations.
group <handle> [examine, modify]
The named group associated with the host declaration, if there is one.
hardware-address <data> [lookup, examine, modify]
The link-layer address that will be used to match the client, if any. Only valid if
hardware-typeis also present.
hardware-type <integer> [lookup, examine, modify]
The type of the network interface that will be used to match the client, if any. Only valid if
hardware-addressis also present.
dhcp-client-identifier <data> [lookup, examine, modify]
The dhcp-client-identifier option that will be used to match the client, if any.
ip-address <data> [examine, modify]
A fixed IP address which is reserved for a DHCP client that matches this host declaration. The IP address will only be assigned to the client if it is valid for the network segment to which the client is connected.
statements <data> [modify]
A list of statements in the format of the dhcpd.conf(5) file that will be executed whenever a message from the client is being processed.
known <integer> [examine, modify]
If non-zero, indicates that a client matching this host declaration will be treated as known in pool permit lists. If zero, the client will not be treated as known.
1.1.8.3. The group object¶
Named groups can be created, destroyed, looked up, examined and modified. If a group declaration is created or deleted using OMAPI, that information will be recorded in the dhcpd.leases(5) file. It is permissible to delete group declarations that are declared in the dhcpd.conf(5) file.
Named groups currently can only be associated with hosts --- this allows one set of statements to be efficiently attached to more than one host declaration.
Groups have the following attributes:
name <data>
The name of the group. All groups that are created using OMAPI must have names, and the names must be unique among all groups.
statements <data>
A list of statements in the format of the dhcpd.conf(5) file that will be executed whenever a message from a client whose host declaration references this group is processed.
1.1.8.4. The control object¶
The control object allows dhcpd to be shutdown gracefully. If the server is doing failover with another peer, it will make a clean transition into the shutdown state and notify its peer, so that the peer can go into partner down, and then record the "recover" state in the lease file so that when the server is restarted, it will automatically resynchronize with its peer.
On shutdown the server will also attempt to cleanly shut down all OMAPI connections. If these connections do not go down cleanly after five seconds, they are shut down preemptively. It can take as much as 25 seconds from the beginning of the shutdown process to the time that the server actually exits.
To shut the server down, open its control object and set the state attribute to 2.
1.1.8.5. The failover-state object¶
The failover-state object is the object that tracks the state of the failover protocol as it is being managed for a given failover peer. The failover object has the following attributes (please see dhcpd.conf(5) for descriptions of these attributes):
name <data> [examine]
Indicates the name of the failover peer relationship, as described in the server's configuration file.
partner-address <data> [examine]
Indicates the failover partner's IP address.
local-address <data> [examine]
Indicates the IP address that is being used by the DHCP server for this failover pair.
partner-port <data> [examine]
Indicates the TCP port on which the failover partner is listening for failover protocol connections.
local-port <data> [examine]
Indicates the TCP port on which the DHCP server is listening for failover protocol connections for this failover pair.
max-outstanding-updates <integer> [examine]
Indicates the number of updates that can be outstanding and unacknowledged at any given time, in this failover relationship.
mclt <integer> [examine]
Indicates the maximum client lead time in this failover relationship.
load-balance-max-secs <integer> [examine]
Indicates the maximum value for the secs field in a client request before load balancing is bypassed.
load-balance-hba <data> [examine]
Indicates the load balancing hash bucket array for this failover relationship.
local-state <integer> examine, modify
Indicates the present state of the DHCP server in this failover relationship. Possible values for state are:
1 - startup
2 - normal
3 - communications interrupted
4 - partner down
5 - potential conflict
6 - recover
7 - paused
8 - shutdown
9 - recover done
10 - resolution interrupted
11 - conflict done
254 - recover wait
In general it is not a good idea to make changes to this state. However, in the case that the failover partner is known to be down, it can be useful to set the DHCP server's failover state to partner down. At this point the DHCP server will take over service of the failover partner's leases as soon as possible, and will give out normal leases, not leases that are restricted by MCLT. If the DHCP server is put into the partner-down state when the other DHCP server is not in the partner-down state, but is not reachable, IP address assignment conflicts are possible, even likely. Once a server has been put into partner-down mode, its failover partner must not be brought back online until communication is possible between the two servers.
partner-state <integer> [examine]
Indicates the present state of the failover partner.
local-stos <integer> [examine]
Indicates the time at which the DHCP server entered its present state in this failover relationship.
partner-stos <integer> [examine]
Indicates the time at which the failover partner entered its present state.
hierarchy <integer> [examine]
Indicates whether the DHCP server is primary or secondary in this failover relationship.
Possible values are:
0 - primary
1 - secondary
last-packet-sent <integer> [examine]
Indicates the time at which the most recent failover packet was sent by this DHCP server to its failover partner.
last-timestamp-received <integer> [examine]
Indicates the timestamp that was on the failover message most recently received from the failover partner.
skew <integer> [examine]
Indicates the skew between the failover partner's clock and this DHCP server's clock.
max-response-delay <integer> [examine]
Indicates the time in seconds after which, if no message is received from the failover partner, the partner is assumed to be out of communication.
cur-unacked-updates <integer> [examine]
Indicates the number of update messages that have been received from the failover partner but not yet processed.
1.1.9. Signals¶
Certain UNIX signals cause dhcpd to take specific actions:
- SIGTERM
Shuts down the DHCP server.
Signals can be sent using the kill(1) program. The result of sending any other signals to the server is undefined.
1.1.10. Files¶
/etc/lease/dhcpd.conf
The configuration file for the dhcpd program. See dhcpd.conf(5) for more details.
/var/lib/lease/dhcpd.leases
The DHCP leases file. See dhcpd.leases(5) for more details.
/var/lib/lease/dhcpd.leases~
Old DHCP leases file.
/var/lib/lease/dhcpd6.leases
The DHCPv6 leases file. See dhcpd.leases(5) for more details.
/var/lib/lease/dhcpd6.leases~
Old DHCPv6 leases file.
/run/lease/dhcpd.pid
The default process ID file.
1.1.11. See also¶
dhclient(8), dhcrelay(8), dhcpd.conf(5), dhcp-options(5), dhcpd.leases(5), omshell(1)
1.1.12. Copyright¶
Copyright (C) 2025 Banu Systems Private Limited. All rights reserved.
Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC").
Copyright (c) 1996-2003 by Internet Software Consortium.