10

I'm experimenting various network setups using VMs. When I setup the DHCP role on Windows Server, it requires a static IP. I am having trouble understanding why this is necessary from a technical point of view.

My understanding of DHCP is, a client broadcasts a DHCP Discovery request on the network, and any device on the network can respond. A DHCP server thus needs an IP address, but why does this IP needs to be static? The DHCP server can get its address elsewhere and still respond to the broadcast as long as it has an IP.

E.g.

  • Server A, Server B and Client X are all connected to the same switch
  • Server A is 10.0.0.1 and serves 10.0.0.X/24
  • Server A is configured to only give IP to Server B via MAC filtering
  • Server B gets its IP from Server A, thus it lives on 10.0.0.X/24
  • Server B serves 10.0.1.X/24
  • Client X connects, and gets an IP from Server B

Of course, once Client X gets is IP from Server B, it won't be able to contact Server B directly since they live on different subnets. But that's not a problem - the DHCP request is (initially) a broadcast, so everyone on the switch will receive it.

Ignore a management point of view, why can't I have

  • A master DHCP server with static IP, it only serves other DHCP servers
  • An address range for the "secondary" DHCP servers
  • An address range for clients, obtained from the "secondary" DHCP servers

Is there a technical reason that DHCP servers must have a static IP?

3 Answers 3

6

My understanding of DHCP is, a client broadcasts a DHCP Discovery request on the network, and any device on the network can respond.

A client can make an unicast DHCP request too, the renewal request is made in unicast, so the client requests directly the DHCP Server. What if the DHCP changed his original IP address ? The renewal will fail and the next request will be made in broadcast. Which is not a behavior that will optimize your network traffic.

Microsoft:

Renewing a Lease The DHCP client first attempts to renew its lease when 50 percent of the original lease time, known as T1, has passed. At this point the DHCP client sends a unicast DHCPRequest message to the DHCP server that originally granted its lease. If the server is available, and the lease is still available, the server responds with a unicast DHCPAck message and the lease is renewed.

Source

ISC:

Internet Systems Consortium DHCP Client 4.2.2 Copyright 2004-2011 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/eth0/00:0c:29:ac:18:75 Sending on LPF/eth0/00:0c:29:ac:18:75 Sending on Socket/fallback DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 << First request DHCPREQUEST on eth0 to 255.255.255.255 port 67 DHCPOFFER from 10.0.0.253 DHCPACK from 10.0.0.253 bound to 10.0.0.6 -- renewal in 133 seconds. DHCPREQUEST on eth0 to 10.0.0.253 port 67 << Renewal DHCPACK from 10.0.0.253 bound to 10.0.0.6 -- renewal in 119 seconds. DHCPREQUEST on eth0 to 10.0.0.253 port 67 DHCPACK from 10.0.0.253 bound to 10.0.0.6 -- renewal in 118 seconds. 

Once the lease has been granted, however, future DHCP DHCPREQUEST/RENEWAL messages are unicast directly to the DHCP Server

Source

9

A DHCP server must have a configured IP address so that it can know which scopes are locally attached to physical interfaces, and which Scopes can only be served via a DHCP relay.

Ignore a management point of view,

I am sorry, but I think it is silly to try and hand-wave away and ignore the practical issues about running your network. Getting a valid IP address is critical on most networks. You would never want your DHCP server to fail because it couldn't get its own valid address. Software, and protocols are designed to work in common practical situations. What you are describing seems to create multiple places for things to fail with little or no real gain.

If you really want to have some kind of dynamic configuration of a DHCP server you should probably be looking at using a configuration management system to enforce the settings on the DHCP server, instead of trying to use DHCP to configure your DHCP server.

4
  • Can you add more explanation about how a static IP address is related to picking scopes? If I have two subnets in one physical network, then a DHCP relay wouldn't be necessary. Commented Mar 1, 2015 at 8:28
  • 2
    Well a single DHCP server can have many scopes. So you could configure scopes for both those subnets on a single server. A DHCP server can only respond to broadcast requests with scopes that are associated with the local subnet. It determines this by looking at the assigned local addresses. As a safeguard most DHCP servers require this to be static. What would happen to your network in your example, if your DHCP server happened to get a DHCP address from a rogue DHCP server? Commented Mar 1, 2015 at 8:36
  • So, is it correct to say, "Asking a DHCP server on 10.0.0.X/24 to serve 10.0.1.X/24 without a relay is confusing, because subnets are meant to isolate networks and this configuration implies a relay is necessary?" Commented Mar 1, 2015 at 8:51
  • 2
    @Zoredache's comment about your DHCP server getting an address from a rogue DHCP server (or failing to get one at all) is key, I would say. You can't build a robust network stack on faulty foundations. Commented Mar 1, 2015 at 11:25
1

Technically the DHCP Server must have a known IP address for the packets that are sent after the initial discovery packet. This address usually needs to be known when it starts up so that's pretty much static. It doesn't (IIRC) have to be on the same subnet so that DHCP relay will work, but it's not going to work without a route to the subnet it's allocating on.

If you really want to do it you can probably arrange something using a virtual interface so your physical adaptor (server B) has IP addresses on both the subnets that are on your wire (one DHCP and the other static).

Like Zoredache I would suggest you should really stick with one DHCP server setup for the wire. Most DHCP servers will allow you to classify devices in various ways (eg: Parts of the MAC address) and assign these to different sections of the subnet. You would then be able to give different firewall rules to these subsections.

There would be no difference in security because any client can setup it's own static address in both scenarios.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.