Why DHCP
When a new host joins a [[broadcast-domain|network]], it knows nothing: no IP, no gateway, no mask, no DNS. You could configure everything by hand, but on a 200-machine office network that is not practical. A DHCP server listens for requests and hands out settings dynamically.
DORA: 4 Packets
Client (no IP) DHCP server
| |
| -- Discover -------> | (broadcast 255.255.255.255:67)
| "anyone, give me IP" |
| |
| <-- Offer ----------- | (broadcast 255.255.255.255:68)
| "offering 10.0.0.42" |
| |
| -- Request --------> | (broadcast so other servers see it)
| "taking 10.0.0.42" |
| |
| <-- Ack ------------- |
| "ok, IP is yours |
| for 1 hour" |
| |
v v
IP=10.0.0.42, GW, DNS configured
- Discover - L2-broadcast (
ff:ff:ff:ff:ff:ff), L3-broadcast (255.255.255.255), src-IP0.0.0.0. Other DHCP servers on the network see this packet too. - Offer - the server reserves an IP and proposes it to the client. Multiple servers may send offers at the same time.
- Request - the client picks one offer and says "taking it", explicitly including the chosen server-ID. Other servers see this and release their offers.
- Ack - final confirmation. From this point the IP belongs to the client.
Transport: Always UDP
TCP does not work over [[broadcast-domain|broadcast]]. UDP ports:
- 67 - DHCP server listens
- 68 - DHCP client listens
Without [[udp-basics|UDP]], DHCP is impossible in principle: a TCP handshake requires an IP address that has not been assigned yet.
Lease: Renting an IP
Each IP is issued for a TTL, for example 24 hours. The client must:
- at T1 = 50% TTL send a
Requestto the same server: "renew my lease" - at T2 = 87.5% TTL broadcast: "any server, renew my lease"
- if not confirmed before TTL expires, the client loses the IP and goes back to Discover
The TTL exists because laptops come and go and IPs must be reused. On servers the TTL is usually set higher, or the address is reserved by MAC.
DHCP Options
The Offer/Ack packet carries options with configuration:
| Option | What |
|---|---|
| 1 | subnet mask (255.255.255.0) |
| 3 | routers ([[default-gateway |
| 6 | DNS servers |
| 12 | hostname |
| 15 | domain name |
| 51 | IP lease time |
| 53 | message type (DISCOVER, OFFER, ...) |
| 54 | server identifier |
| 66 | TFTP server (for PXE boot) |
| 121 | classless static routes |
Option 121 is especially useful in VPN offices: "all traffic to 10.0.0.0/8 goes through 192.168.1.1, everything else to the default route."
On Linux
# Show the current lease on an interface
cat /var/lib/dhcp/dhclient.eth0.leases
# Re-request a lease
sudo dhclient -r eth0 # release
sudo dhclient eth0 # renew
# Modern networking uses systemd-networkd / NetworkManager, DHCP is built in
systemctl status systemd-networkd
nmcli device show eth0 | grep -i dhcp
The lease file lives in /var/lib/dhcp/ or /run/systemd/netif/leases/.
DHCP Relay
In a large network one DHCP server covers many VLANs. Each L3 device runs a
DHCP relay: it hears a broadcast from a client, forwards it as unicast to the
server, and adds giaddr (gateway IP) so the server knows which subnet the client
is on.
Without a relay, broadcasts cannot cross a [[broadcast-domain|broadcast domain]].
DHCPv6: A Different Protocol
IPv6 has SLAAC (auto-configure via RA), but also DHCPv6 for options like DNS and domain name. Ports UDP/546-547. Do not confuse the two.
When Something Goes Wrong
- No DHCP offers received - check that the server is up, the relay is configured, and there are no rogue DHCP servers on the network
- Got IP but no internet - option 3 (gateway) or option 6 (DNS) is missing from the server configuration
- Lease conflict - two servers hand out overlapping pools; arping shows two MAC entries answering the same IP
- Rogue DHCP - someone plugged in their own router; mitigation is DHCP snooping on the switch
- DUID changed - after an OS reinstall the host gets a new IP even though the MAC did not change: the client-ID defaults to DUID, not the MAC address