Ubuntu / Debian Linux: Setup An ISC DHCP Server For Your Network

How do I setup a DHCP server for my local area network (LAN) using Debian Linux 6 or Ubuntu Linux server running on my IBM hardware?

The Dynamic Host Configuration Protocol (DHCP) allows clients such as desktop, laptop, and mobile devices to request and obtain an IP address and many other parameters from a server.

ISC’s DHCP server software

ISC’s DHCP software is the most widely used open source DHCP implementation on the Internet. The same software can be used for LAN too. It is a carrier and enterprise grade solution to your host configuration needs.

Installing the DHCP server

Type the following apt-get command as root user to install the DHCP server:
# apt-get install isc-dhcp-server
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 0 B/411 kB of archives.
After this operation, 938 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package isc-dhcp-server.
(Reading database ... 281728 files and directories currently installed.)
Unpacking isc-dhcp-server (from .../isc-dhcp-server_4.1.1-P1-15+squeeze8_amd64.deb) ...
Processing triggers for man-db ...
Setting up isc-dhcp-server (4.1.1-P1-15+squeeze8) ...
Generating /etc/default/isc-dhcp-server...
Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!
invoke-rc.d: initscript isc-dhcp-server, action "start" failed.

Configure the DHCP server

The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file comes with a number of global configuration options. Type the following command to edit the file:
# vi /etc/dhcp/dhcpd.conf
You must prevent the DHCP server from receiving DNS information from clients, set the following global option (this is a security feature):

ddns-update-style none;

You need to set your domain name and name server:

## Set a domain name for your LAN ##
option domain-name "nixcraft.net.in";
## Set DNS server IP address, you can set to your ISP's dns server too or use Google DNS server##
option domain-name-servers,;

Increase the lease time. The time is set in seconds:

### Set the length in seconds that will be assigned to a lease if the client requesting the lease does not ask for a specific  expiration time.   ##
### This is used for both DHCPv4 and DHCPv6 leases (it is also known as the "valid lifetime" in DHCPv6). ###
default-lease-time 86400;
## Set the maximum length in seconds that will be assigned to a lease ##
max-lease-time 604800;

The authoritative directive should be uncommented:


The authoritative directive indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired, which could take quite a long time. Finally, update the configuration file with your subnet as follows:

subnet netmask {
        ## dhcp start  and end IP range ##
        option subnet-mask;     ## subnet 
        option broadcast-address; ## broadcast
        option routers; ## router IP


  1. subnet netmask { – The subnet statement is used to provide dhcpd with enough information to tell whether or not an IP address is on that subnet. It may also be used to provide subnet-specific parameters and to specify what addresses may be dynamically allocated to clients booting on that subnet. Such addresses are specified using the range declaration. In this example is the subnet-number and should be an IP address or domain name which resolves to the subnet number of the subnet being described. The netmask should be an IP address or domain name which resolves to the subnet mask of the subnet being described. The subnet number, together with the netmask, are sufficient to determine whether any given IP address is on the specified subnet.
  2. range; – For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. is the starting IP address and is the ending IP address in this pool.
  3. option subnet-mask; – Use this subnet-mask.
  4. option broadcast-address; – Use this broadcast address.
  5. option routers; – Use this gateway address i.e. the address of your router connected to the Internet.

Save and close the file. To check the syntax of dhcpd.conf file for errors, run:
# dhcpd -t
# dhcpd -t /etc/dhcp/dhcpd.conf

How do I start / stop / restart the DHCP server?

Type the following commands:

service isc-dhcp-server start
service isc-dhcp-server stop
service isc-dhcp-server restart
service isc-dhcp-server status

Sample outputs:

Fig.01: Debian Linux: Start / Stop / Restart DHCPD Server Commands

How do I verify that DHCP server UDP port # 67 is opened by dhcpd?

Type any one of the following command
# netstat -tulpn | grep --color "dhcp"
# ps aux | grep --color "[d]hcpd"
# pgrep dhcpd
Sample outputs:

Fig.02: Verify That The DHCPD Server Is Running or Not

Troubleshooting the DHCP server problem

By default the dhcpd will log all output using the syslog function with the log facility set to LOG_DAEMON i.e. /var/log/syslog file:
# tail -f /var/log/syslog
# grep dhcpd /var/log/syslog

You can dump DHCP packets under Linux / UNIX for monitoring or debugging purpose using dhcpdump command as follows:
# dhcpdump -i eth0
OR use old good the tcpdump program:
# tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc
cd to /var/lib/dhcp directory to see more information about leases that the dhcp server has assigned to clients:
# cd /var/lib/dhcp/
# ls -l
# vi dhcpd.leases
# cat dhcpd.leases
# grep 'something' dhcpd.leases

Securing the DHCP server

Disable the dynamic DNS:

ddns-update-style none;

Set Deny decline messages to avoid DoS attack againest your dhcp server. The client device can send DHCPDECLINE message many times that can exhaust the DHCP server’s pool of IP addresses, causing the DHCP server to forget old address allocations:

deny declines;

Disable support older BOOTP clients:

deny bootp;

You must set valid and correct values for all the following operational directives. If you are not using NIS domain or ntp server, make sure the following options are not defined.

## see dhcpd.conf man page for more info on the directives ##
option domain-name  
option domain-name-servers
option nis-domain
option nis-servers
option ntp-servers
option routers
option time-offset

In most cases you only need domain-name, domain-name-servers, and routers directives and rest should be removed to minimize information served by the dhcp server.

How do I configure iptables to allow access to the DHCP server?

Edit your iptables scripts and add the following lines

## Make sure you use an appropriate network block,  ##
## and network mask, representing the machines on your ## 
## network which should operate as clients of the dhcp serve. ##
## Syntax: ##
## /sbin/iptables -A INPUT -s net/mask -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ##
## Adjust rules as per your setup ##
/sbin/iptables -A INPUT -s -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT

A slightly different configuration for an internal subnet

The following is a special subnet that allows to pxe network booting using tftpd server at (please note that you need to install and configure tftpd server separately):

subnet netmask {
  ## openbsd pxe boot file ##
  filename "openbsd/pxeboot";
  ## Debian 6 pxe boot file ##
  ## filename "debian6/pxelinux.0";
  ## Freebsd pxe boot file ##
  ## filename "freebsd/pxeboot";
  ## our boot server ##
  option subnet-mask;
  option broadcast-address;
  option routers;

How do I add BOOTP support?

Each BOOTP client must be explicitly declared in the dhcpd.conf file.

## bootp my headless home router ##
host router {
     hardware ethernet 08:00:2b:4c:59:23;
     filename "debian6/pxelinux.0";
Recommend readings:

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.