Openwrt isc-dhcpd-4.2.4

dhcp-server

Every time the dhcp service starts, it listens not only on 0.0.0.0:67 but also on 0.0.0.0:PORT where PORT is a random number.

Anyone knows where this behaviour comes from?

root@OpenWrt:/# netstat -ntapue
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.0.16.1:22            0.0.0.0:*               LISTEN      898/sshd
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 10.0.16.1:514           0.0.0.0:*                           922/syslog-ng
udp        0      0 0.0.0.0:60738           0.0.0.0:*                           1290/dhcpd
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1290/dhcpd
udp        0      0 10.0.16.1:69            0.0.0.0:*                           974/tftpd-hpa
netstat: /proc/net/udp6: No such file or directory

My config is:

# dhcpd.conf

ddns-updates off;

authoritative;

# don't let clients modify their own A records
ignore client-updates;

default-lease-time 3600;
max-lease-time 86400;

option domain-name "lan";

option domain-name-servers 212.24.188.130, 212.24.188.131;

subnet 10.0.16.0 netmask 255.255.255.0 {
        host marvin
        { hardware ethernet 48:5D:11:2F:22:31;
        fixed-address 10.0.16.202; }
      range 10.0.16.207 10.0.16.209;
      option subnet-mask 255.255.255.0;
      option broadcast-address 10.0.16.255;
      option routers 10.0.16.1;
      deny unknown-clients;

      next-server 10.0.16.1;
      filename "pxelinux.0";
}

Search in google returns that it's a kind of a bug:

https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046

On the launchpad there is also a link to the proposed solution (building package from source with extra options for ./configure script):

http://forums.debian.net/viewtopic.php?f=10&t=95273

I have checked release notes for latest stable (4.2.5-P1) and development (4.2.6b1 and 4.3.0b1) versions of ISC DHCPD and this bug does not seem to be fixed there.

For OpenWRT to rebuild the package from source with custom options, you need to build your own opkg package using cross-compiler for your router's architecture, or even rebuild the whole OpenWRT image: http://wiki.openwrt.org/doc/devel/packages

So to solve the security issue I would suggest you to just block all ports except needed (22, 67, 69, 514) with your firewall.

Related

logrotate is not executing custom shell script in postrotate
Cacti graph not showing
Setup IIS to require client certificate and to use anonymous authentication
Possible to migrate RAID 10 system from 2TB Seagate to 2TB WD?
Requests getting queued in IIS worker process at ExecuteRequestHandler
Remotely run a script invoking "Run As Administrator"
pam_tty_audit and non privileged users
csync2 ERROR: Connection to remote host failed
ksoftirqd hitting 100% on interface with ixgbe driver
Riak "error":"insufficient_vnodes_available"
Unable to resize ec2 ebs root volume
Deployment to thousands of Amazon S3 accounts?