Page MenuHomeVyOS Platform

DHCP: disallow/do-not-request certain options when requesting IP address from server
Closed, ResolvedPublicFEATURE REQUEST

Description

Please make it possible to disregard some received DHCP options (See T2997#78071 for screenshot of suggestion), for example:

set interfaces ethernet eth0 address dhcp alter-dhcp-default-gateway discard

Adding this capability also improves visibility about operational gateways (e.g: in a "show configuration commands" output ).

Note: since we already have similar syntax for dns received from DHCP:

set system name-servers-dhcp eth0

an alternative syntax could be (with default off)

set system routes-dhcp eth0

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Do other vendors suppert highjacking/altering of DHCP options? I feel this kills the whole concept of DHCP.

I'm in for adding a CLI option to not request a default route for sure but the other stuff I do not comply. Please show e.g. Cisco / Juniper / Arista configs which support this highjacking.

This is an example scenario in which this comes handy:
You have three ethernet interfaces
Two are connected to different LANs
The third is connected to WAN (another router)
All networks offer DHCP and def gw
The LANs offer it for internet access
The WAN offers it for branch access
We want to keep def gw received for WAN and ignore internet access offered by those LANs

Only these three (gw, dns, ntp) benefit most to be hijackable. So I appreciate this point you mentioned and simplify the request to def-gw only if you agree.

Here below are attached images of GUI and text representation of a router which I use and supports this (it is Mikrotik. I currently have do not access to other brands to verify)


I can see a case where people deliberately do NOT want to use ISP provided DNS servers (to avoid DNS NX hijacking) (and/or lock to a major internet DNS server like google 8.8.8.8 or Quad9 9.9.9.9 or Cloudflare 1.1.1.1 for example)

c-po renamed this task from Allow ignoring received DHCP options to DHCP: disallow/do-not-request certain options when requesting IP address from server.Nov 7 2020, 7:46 PM
c-po changed the task status from Open to In progress.
c-po claimed this task.

set interfaces ethernet eth2 dhcp-options no-default-route

Implemented for gateway address

DNS domain name servers are always requested from the server but must be explicitly "allowed" by set systems name-servers-dhcp

erkin set Issue type to Feature (new functionality).Aug 29 2021, 12:32 PM
erkin removed a subscriber: Active contributors.