[Infrastructures] DHCP for servers

Rainer.Heilke@atcoitek.com Rainer.Heilke@atcoitek.com
Mon, 27 Jun 2005 16:32:36 -0600 

In Active Directory, you can use DHCP, and have reservations for
servers. I'm assuming ISC and others have this as well. I know of some
that work this way. While this eases some problems, the down side is
that this wouldn't prevent the problems you mention. Of course, these
problems aren't limited to DHCP (like when some whiz fires up Samba, and
stomps on your Windows domain).

As you say, all of these things must be guided by your security
policies, etc.

Rainer

> -----Original Message-----
> From: infrastructures-admin@TerraLuna.Org 
> [mailto:infrastructures-admin@TerraLuna.Org] On Behalf Of 
> Stephen P. Schaefer
> Sent: Monday, June 27, 2005 3:56 PM
> To: infrastructures@terraluna.org
> Subject: Re: [Infrastructures] DHCP for servers
> 
> 
> One issue to consider is your security posture: DHCP is a completely
> unauthenticated protocol.  (How can you authenticate before 
> you know who
> you are or anyone else is?)  I've occasionally run a DHCP 
> *server* on my
> Linux laptop when we couldn't figure out how to get the Microsoft DHCP
> server to behave as I wanted it to (whereas the ISC server "just
> worked").  But the flip side is that anyone with physical 
> access to the
> subnet can also run a a DHCP server, causing havoc - and not 
> necessarily
> maliciously: maybe their laptop is their DHCP server *at 
> home* - I know
> mine occasionally is :-).
> 
> I use DHCP during the install, but part of the installation automates
> transforming that DHCP lease into a hard-coded address, after 
> which the
> machine doesn't participate in DHCP.  That means I can't use DHCP to
> update things like router, DNS server, NIS domain, or 
> anything else, but
> there are other means to those ends.
> 
>     - Stephen
> 
> On Mon, 2005-06-27 at 16:33 -0400, David A. Ulevitch wrote:
> > On Jun 27, 2005, at 1:01 PM, Kyle Moore wrote:
> > 
> > > This is probably a stupid question but is it common or 
> considered   
> > > best practices to use DHCP for servers? I've always 
> thought this   
> > > was a bad idea because it is just one more dependency for the   
> > > server that I would like to avoid. Now that I'm trying to
> > automate   
> > > more and maintain consistency DHCP seems like a good idea.
> > 
> > It doesn't seem like it'd be very hard to make a failover DHCP   
> > setup.  DHCP provides a lot of nice things (like enabling 
> PXEboot)   
> > and other features.  Unlike a database server which might be hard
> > to   
> > setup failover for, a DHCP server seems rather easy and static.
> > 
> > In fact, I may have read about some features in ISCs dhcpd that   
> > specifically provide or complement some failover features but I
> > can't   
> > see to find it at the moment... man dhcpd I suppose. :)
> > 
> > Thanks, 
> > David Ulevitch 
> > _______________________________________________ 
> > Infrastructures mailing list 
> > Infrastructures@mailman.terraluna.org 
> > http://mailman.terraluna.org/mailman/listinfo/infrastructures
> > 
> _______________________________________________
> Infrastructures mailing list
> Infrastructures@mailman.terraluna.org
> http://mailman.terraluna.org/mailman/listinfo/infrastructures
>