Disable DHCP: is it at all possible?

[WeoNat]

hi everyone,

my machine is standalone and connects to the internet using a fiber broadband modem provided by my isp.

during installation of openbsd, i opt for dhcp.

now that i have openbsd up and running on my machine, can i disable dhcp while at the same time able to resolve dns requests and surf websites?

[J65nko]

Yes, that is possible. You just have to manually configure the things that dhclient.conf requests from the dhcpd server.
From an old OpenBSD box:

Code:

request subnet-mask, broadcast-address, routers, domain-name,
        domain-name-servers, host-name;

Manual network configuration is explained at http://www.openbsd.org/faq/faq6.html#Setup

[jggimi]

Hello, and welcome!

Configure your static IP address and netmask in /etc/hostname.<your nic>. As an example, something like this:

Code:

inet 10.1.2.3/24

Configure your default route - the address of your router on your local network, in /etc/mygate. As an example, something like this:

Code:

10.1.2.1

Configure your DNS nameserver(s) in /etc/resolv.conf. As an example, something like this:

Code:

nameserver 8.8.8.8
nameserver 8.8.4.4

For further guidance, see the networking chapter in the OpenBSD FAQ, Chapter 6, and the provisioning details in the hostname.if(5), mygate(5), and resolv.conf(5) man pages.

[kpa]

Note that if you're receiving public IP addresses from your ISP you might not be allowed to re-use an address that was previously assigned to you using manual configuration and you'll have to stick to using DHCP. If you modem does NAT and the addresses assigned to your machines are RFC1918 addresses (10.*.*.*, 172.16-31.*.* and 192.168.*.*) then it does not matter.

[WeoNat]

Quote:

Originally Posted by J65nko

From an old OpenBSD box:

Code:

request subnet-mask, broadcast-address, routers, domain-name,
        domain-name-servers, host-name;

question: do i need to input numerical values for "subnet-mask", "broadcast-address", "routers", etc.? if i need to, how do i obtain the relevant details?

[WeoNat]

Quote:

Originally Posted by jggimi

Hello, and welcome!

is there a welcome gift waiting for me to collect?....ok, just kidding...

Quote:

Originally Posted by jggimi

Configure your static IP address and netmask

i remember that my isp told me that my subscription package comes with dynamic ip addresses only, no static ones. if i need static ip addresses, i need to pay a lot more than i am currently paying.

Quote:

Originally Posted by jggimi

Configure your default route - the address of your router on your local network, in /etc/mygate.

how do i find out the address of my router? is it ifconfig?

surprisingly my openbsd operating system does not have mygate in /etc i had to create one. (there is only a myname file.)

an idea just came to me when i am writing this reply to you.

during installation of openbsd, can i choose to not use dhcp and then configure the various options that you have shown me in your reply? will that help to simplify matters?

[WeoNat]

Quote:

Originally Posted by kpa

Note that if you're receiving public IP addresses from your ISP you might not be allowed to re-use an address that was previously assigned to you using manual configuration and you'll have to stick to using DHCP. If you modem does NAT and the addresses assigned to your machines are RFC1918 addresses (10.*.*.*, 172.16-31.*.* and 192.168.*.*) then it does not matter.

what do you mean by "public ip addresses"? some examples would be helpful.

what do you mean by "you might not be allowed to re-use an address that was previously assigned to you using manual configuration and you'll have to stick to using DHCP"?

how do i know that my modem/router does NAT? what tests can i perform to find out if it does NAT?

there is only one machine connected to the modem/router. when i do an ifconfig, i only see 192.168.xxx.xxx. is that what you term "RFC1918" addresses? what are non-RFC1918 addresses? some examples please.

[jggimi]

Let me try to do a little level-setting. It appears you may be confused. I hope this is neither repetitive nor insulting. It's only intended as a level-set.

The Internet is an interconnection of millions of separate networks. Some of those networks are designated for private use -- and their addresses are not used over the Internet. Specifically, the address ranges 10.x.x.x., 192.168.x.x, 172.16.x.x-172.31.x.x, and some others address ranges are never actually used "on" the Internet, they are used only inside private networks. For example you and I can have the same 192.168.10.20 device, on our separate private networks. But you and I can still communicate over the Internet. Our device addresses get translated by our gateway routers into actual Internet-facing addresses. This is done through a technology called Network Address Translation ("NAT").

With me so far? I hope so.

Your ISP provided you with a gateway device. A modem/router of some kind. When you connected through it to the Internet, there were only two possibilities:

1) Your DHCP address was assigned by the that gateway/modem/router, on one of those private address ranges. This is the more likely scenario. Congratulations, you have a private network attached to the Internet through a NAT router.

2) Your DHCP-supplied address was assigned further upstream by your ISP, and is an actual "on-the-Internet" address not in one of those private ranges. You do not have a private network, your computer is directly "Internet-facing".

If you issue the command "ifconfig egress" at any shell prompt, you will see the currently configured Network Interface Connection ("NIC") for outbound traffic on your OpenBSD system. If that address starts with 10, or 192.168, or 172.16*, you have a private network. Your ISP-provided device "does NAT" for you, and all devices on your private network, if you ever add any, will share a single, Internet-facing IP address. They will all share the Internet address of that ISP-provided device, actually.

In my example provisioning steps, above, I showed a private network address for a NIC - em0, sis0, vr0 ... there are many possible NIC drivers, and the first one will be device number 0. I used an address that began with the number 10 in the example hostname file, assuming the far more common use of a private network attachment. You have a hostname.<some NIC> file already, containing the keyword "dhcp".

I also provided an example of a routing configuration, and chose another address on the same private network. Whatever the address of the router might be on your private network. Your computer needs to know where to send packets that are addressed to other networks, and so it needs to know the address of the router on your local network.

Of course, the addresses I chose were just examples, and may have no bearing on any use of either a private network defined by your ISP-provided device, or a direct on-the-Internet address. To assign a static address on your private network, if you have one, you must pick an address within the subnet defined by the ISP-provided device. And, the address must be in the range delegated to static addresses, and not one within the pool of dynamic addresses the device might assign.

---

If this information is all review, I apologize. If this information seems complex and confusing perhaps you could help us understand what it is you want to accomplish. Why does it matter if the OS uses or does not use DHCP for addressing?

---

* 172.16.0.0 through 172.31.255.255

[WeoNat]

Quote:

Originally Posted by jggimi

To assign a static address on your private network, if you have one, you must pick an address within the subnet defined by the ISP-provided device. And, the address must be in the range delegated to static addresses, and not one within the pool of dynamic addresses the device might assign.

thanks, i understand about 95% of your write-up.

my router starts with 192.168.0.1. i suppose you call that the default gateway.

sometimes my router assigns 192.168.0.47 or 192.168.0.123 or 192.168.0.131 to my machine. are these addresses within the range delegated to static addresses?

Quote:

Originally Posted by jggimi

Why does it matter if the OS uses or does not use DHCP for addressing?

i'm trying to control the way the operating system makes dns requests through my specified resolvers.

[jggimi]

Quote:

Originally Posted by WeoNat

thanks, i understand about 95% of your write-up.

Great! The other 5% would be my inability to articulate clear ideas.

Quote:

my router starts with 192.168.0.1. i suppose you call that the default gateway.

Indeed. Your router connects to two networks. Your local private network, with that address, and your ISP's Internet-faciing network, with a real Internet address.

I would guess then that your private network is the range of addresses from 192.168.0.0 - 192.168.0.255. Commonly called a "/24", meaning that the first 24 bits (3 bytes) are the network address, the remaining 8 bits (1 byte) are device addresses on the network. The reason? /24 subnets are easy to read and understand in a.b.c.d addressing notation. A /24 notation or a "netmask" of 255.255.255.0 mean the same thing.

FYI: There are 256 addresses available on a /24 subnet, but only 254 can be assigned to devices. The low and high addresses of any subnet (.0, .255 for a /24) are reserved for routing and broadcast.

Quote:

sometimes my router assigns 192.168.0.47 or 192.168.0.123 or 192.168.0.131 to my machine. are these addresses within the range delegated to static addresses?

No, those are all within the dynamic range assigned by the ISP's device. You should have the ability to review (or change) the device's customer configurable bits, such as a local network addressing and DHCP settings. How you do that will depend on the device, and perhaps what your ISP permits.

Quote:

i'm trying to control the way the operating system makes dns requests through my specified resolvers.

That's entirely different than assigning static addresses. You just want to tell OpenBSD to ignore the nameserver addresses provided by your ISP, so you can use your own. Easy.

The DHCP protocol is client-server. In this case, your OpenBSD system is the client, and the name of the program it runs for you during boot up (and while your network is up) is dhclient. You can read about it in the dhclient(8) man page.

You'll want to adjust the dhclient configuration file, to tell it to ignore what your ISP's device submits for nameservers, and use your own. The configuration file is called /etc/dhclient.conf, and it has a man page too: dhclient.conf(5). The man page describes a supersede directive, and that's all you need to add.

As an example to use Google's domain name servers, you would use:

Code:

supersede domain-name-servers 8.8.8.8, 8.8.4.4;

During the client-server session, dhclient will ignore the domain name servers provided by your ISP, and will put Google's domain name servers into your /etc/resolv.conf for you.

[e1-531g]

Quote:

Originally Posted by jggimi

You'll want to adjust the dhclient configuration file, to tell it to ignore what your ISP's device submits for nameservers, and use your own. The configuration file is called /etc/dhclient.conf, and it has a man page too: dhclient.conf(5). The man page describes a supersede directive, and that's all you need to add.

As an example to use Google's domain name servers, you would use:

Code:

supersede domain-name-servers 8.8.8.8, 8.8.4.4;

During the client-server session, dhclient will ignore the domain name servers provided by your ISP, and will put Google's domain name servers into your /etc/resolv.conf for you.

One could also make more complicated setup with local caching resolver.
In base there is unbount resolver. In this case you need to configure system to:
1. Have "nameserver 127.0.0.1" in /etc/resolv.conf. You can do it as, jggimi suggested, through supersede directive in /etc/dhclient.conf.
2. Enable unbound using rcctl(8).
3. Edit /var/unbound/etc/unbound.conf to set up remote DNS server(s) you want to use.
4. Restart or reload configuration in unbound using rcctl(8).

[WeoNat]

Quote:

Originally Posted by jggimi

Great! The other 5% would be my inability to articulate clear ideas.

no, the other 5% is due to the denser than normal matter in my brain that is preventing me to somewhat able to understand your write-up.

Quote:

Originally Posted by jggimi

You should have the ability to review (or change) the device's customer configurable bits, such as a local network addressing and DHCP settings. How you do that will depend on the device, and perhaps what your ISP permits.

what do you mean by "local network addressing" and "DHCP settings" in my router/modem? some examples would be helpful.

Quote:

Originally Posted by jggimi

You'll want to adjust the dhclient configuration file, to tell it to ignore what your ISP's device submits for nameservers, and use your own. The configuration file is called /etc/dhclient.conf

some suggest adjusting the /etc/resolv.conf. which method is orthodox to openbsd? to adjust the dhclient.conf or resolv.conf?

Quote:

Originally Posted by jggimi

During the client-server session, dhclient will ignore the domain name servers provided by your ISP, and will put Google's domain name servers into your /etc/resolv.conf for you.

this is the part where i am stumped.

after booting up openbsd, i launch my web browser and type in, say, www.openbsd.org in the URL field and press Enter. as i have already configured dhclient.conf to ignore the nameservers provided by my isp, how on earth is my browser able to resolve www.openbsd.org?

[WeoNat]

Quote:

Originally Posted by e1-531g

One could also make more complicated setup with local caching resolver.

what are the advantages of setting up a local caching resolver?

the way i see it is that having a local caching resolver poses a great risk. openbsd, like other operating systems, may contain security vulnerabilities that allow malicious scripts to hack into the cache of Unbound and send them surreptitiously back to the hackers. in addition, the Unbound source code may contain bugs that allow such exploits to take place.

Quote:

Originally Posted by e1-531g

In base there is unbount resolver. In this case you need to configure system to:

i suppose you were referring to Unbound?

some suggest installing and configuring dnsmasq as my local recursive nameserver.

what are the advantages of using Unbound over dnsmasq?

are the two mutually exclusive, meaning, i cannot install both at the same time on my machine?

[jggimi]

Quote:

Originally Posted by WeoNat

what do you mean by "local network addressing" and "DHCP settings" in my router/modem? some examples would be helpful.

Many ISPs rent or sell equipment for the customer's use. You have such. These gateway devices often have management tools, such as web server software for configuration settings. The customer points their web browser at the device, and can make provisioning changes.

In the case of a router, this could include all sort of settings, such as:

• Using DHCP upstream, or a static address, netmask, and routing information for use with the upstream network.
• Defining the downstream network, such as your apparent 192.168.0.0/24 network.
• Defining a static address on that downstream network, such as 192.168.0.1.
• Defining if the router will provide a DHCP server on the downstream network, like yours. And if so, what range within the network will be a pool of dynamic addresses, what devices on the network will have a static address assignment based on their MAC (Ethernet) address, how long the leases of dynamic addresses will last, and other DHCP server settings.
• Determining if NAT will be used, as with a private network like yours.
• If NAT is used, confguring any needed "port forwarding" to permit unsolicited incoming TCP or UDP traffic to select ports to be routed to specific statically addressed devices on the private network., or configuring a specific "DMZ" device which receives all unsolicited traffic.
• Setting up various "firewall rules."

(The list continues, and is as varied as the devices themselves.)

Quote:

some suggest adjusting the /etc/resolv.conf. which method is orthodox to openbsd? to adjust the dhclient.conf or resolv.conf?

You are currently using dhclient. That always replaces /etc/resolv.conf file every time it starts, and every time a lease is renewed. Which is why I recommended using a simple supersede directive with dhclient.

Those who use dhclient on OpenBSD and wish to manipulate the contents of /etc/resolv.conf do so one of two ways. Either via provisioning rules in /etc/dhclient.conf, or via the /etc/resolv.conf.tail file. This snippet of rules the admin defines is appended to /etc/resolv.conf by dhclient every time it runs, as discussed in the resolv.conf(5) man page.

Quote:

after booting up openbsd, i launch my web browser and type in, say, www.openbsd.org in the URL field and press Enter. as i have already configured dhclient.conf to ignore the nameservers provided by my isp, how on earth is my browser able to resolve www.openbsd.org?

You told it to supersede the nameserver addresses provided by the DHCP server running inside your ISP's device. You supersede those addresses with other addresses. If you used 8.8.8.8 and 8.8.4.4 as in my example above, you will see those addresses sitting in /etc/resolv.conf. These are the public nameserver addresses that Google provides free of charge to the world, because they want to know what the world is looking up, in order to profit from it.

[jggimi]

Quote:

Originally Posted by WeoNat

what are the advantages of setting up a local caching resolver?

It would have some performance improvement, since a portion of your network traffic is DNS queries and responses. If the name to address map is already in memory, no network query is required.

The performance advantage is greater if you have multiple devices on your local network sharing a cache. At the moment, you have only one device on the local network other than the ISP's router. You may not see noticeable improvements.

Quote:

the way i see it is that having a local caching resolver poses a great risk...

This information in cache could be considered PII. But your attacker could acquire the same information by attacking the network between you and the DNS server, or attacking the server, and both are outside your control. Or, they could purchase the information from the DNS server company. From Google, as an example.

(Of course, Google will not sell individual IP information, only "big data" aggregations. We hope. Did they already switch their slogan from "Don't be Evil" to "Evil is OK sometimes"? )

Quote:

in addition, the Unbound source code may contain bugs that allow such exploits to take place.

The unbound e1-531g refers to is is included in the OpenBSD base. Which means it has been, and continues to be, audited for best practices of software development. That's not a guarantee, of course. Nothing is. But it is a "seal of approval" for code quality.

Quote:

some suggest installing and configuring dnsmasq as my local recursive nameserver.

what are the advantages of using Unbound over dnsmasq?

The dnsmasq application is available as a 3rd party package. 3rd party packages are not audited. While dnsmasq may have uses that unbound does not, if you do not need special features you should generally use the tools found in-base before using a 3rd party replacement, since the project conducts regular code review of in-base software.

---

I didn't recommend a caching resolver to you. For two reasons. 1) While there may be some performance advantage to caching name resolution, you're currently dealing with initial provisioning and you can always add one later, after you have a greater understanding of the system and its surrounding infrastructure. 2) It takes us out of the initial scope of query, which we try to avoid on this forum. When a new question arises, admins ask us to start a new thread.

And if it arises as you look at DNS in more detail, should you have any questions about technologies that mitigate risk of DNS traffic exposure -- such as DNSSEC or Tor -- please start a new thread.