#407336 adopts server settings despite them not "request"ed

Package:
isc-dhcp-client
Source:
isc-dhcp
Description:
DHCP client for automatically obtaining an IP address
Submitter:
Tim Connors
Date:
2015-11-29 23:15:04 UTC
Severity:
important
#407336#5
Date:
2007-01-17 17:48:25 UTC
From:
To:
ntp now takes servers from the dhcp client without asking, and without
being overridable.  It overwrites servers that were rather
deliberately chosen, and there does not seem to be a config option to
tell it not to do that.  The mere existance of a /etc/ntp.conf.dhcp
file that may or may not be stale and out of date after the event of a
unclean shutdown is enough to tell ntp via the init.d/ntp script to
ignore my own config file.

In the presence of (the default!) *.pool.ntp.org, this is also rather
pointless, IMNSHO.

If you must include both this and the (broken; see #399905) restart
upon dhcp obtaining a new lease, please make it so the admin can
disable it by means other than deleting the script, such that they
will be preserved over upgrades?

#407336#10
Date:
2007-01-17 18:28:11 UTC
From:
To:
Tim Connors wrote:

I quote from /usr/share/doc/ntp/README.Debian.gz:

"""
If DHCP is used to configure the host, and the DHCP server sends
information about NTP servers, then this information will be used
automatically.  This is done by making a copy of /etc/ntp.conf at
/etc/ntp.conf.dhcp, replacing the server entries with the information
provided by the DHCP server, and restarting the NTP server.

In order for this to work, the "ntp-servers" option must be mentioned
in the "request" statement in /etc/dhcp3/dhclient.conf.  This is not
the case in a default installation.  A complete configuration might
look like this, for example:

    request subnet-mask, broadcast-address, time-offset, routers,
            domain-name, domain-name-servers, host-name,
            netbios-name-servers, netbios-scope, interface-mtu,
            ntp-servers;

If you don't like using the NTP servers sent by the DHCP server, this
is also the right place to turn off this behavior.
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"""

#407336#15
Date:
2007-01-18 07:31:26 UTC
From:
To:
This was as default, and hence was off.  I won't be on this dhcp network
until at least Monday, and shall try it again then with some debug output.
This may well be a dhcp3 bug.  Perhaps new_ntp_servers is being receieved
and passed on even though not requested.

#407336#20
Date:
2007-02-27 18:43:41 UTC
From:
To:
Did you have a chance to test this?  Do you still think this is a bug in
the ntp package?


Kurt

#407336#25
Date:
2007-02-27 19:40:05 UTC
From:
To:
Thanks for reminding me.  I haven't found myself on the same network yet,
but am currently in the vicinity of it.  I'll see what I can do.

#407336#30
Date:
2007-02-27 20:38:16 UTC
From:
To:
This is the last 24 hours for another month that I'll be able to access
this network, and yes, it is happening.  I put:
---
echo ntp remove
set -xv
echo $reason
set
---
and
---
echo ntp add
set -xv
echo $reason
set
---

at the start of the remove and add functions in
/etc/dhcp3/dhclient-enter-hooks.d/ntp and it is quite clearly being called
with $reason=BOUND
(about third time around after a bunch of times when $reason didn't
match).

This is with
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name, domain-name-servers,
        netbios-name-servers, netbios-scope, interface-mtu;
in /etc/dhcp3/dhclient.conf

#407336#35
Date:
2007-02-27 21:02:05 UTC
From:
To:
reassign 407336 dhcp3-client
thanks

This looks like a bug in dhcp3 to me, since it's not requested.


Kurt

#407336#44
Date:
2007-06-23 11:42:00 UTC
From:
To:
I can't reproduce this problem. I ran a DHCP server/client pair, and
where the ntp-servers were not requested, none was included in the
information accessible to the hooks.

Try modifying the debug hooks to include new_ntp_servers and
old_ntp_servers in the list of variables they write out, and enable the
debug hooks whilst acquiring a lease.

regards

Andrew

#407336#49
Date:
2007-07-13 06:33:27 UTC
From:
To:
variables.
reason='BOUND'
interface='eth0'
medium=''
alias_ip_address=''
new_ip_address='150.203.92.87'
new_subnet_mask='255.255.255.0'
new_domain_name='anu.edu.au'
new_domain_name_servers='150.203.92.5'
new_routers='150.203.92.1'
new_static_routes=''
old_ip_address='192.231.166.113'
old_subnet_mask='255.255.255.0'
old_domain_name='aao.gov.au'
old_domain_name_servers='192.231.166.63 192.231.167.64 150.203.1.10'
old_routers='192.231.166.3'
old_static_routes=''
new_ntp_servers='150.203.92.5'
old_ntp_servers=''

So it's being received despite not being asked for.  I tried changing the
shebang line of /sbin/dhclient-script to include a -x, but didn't find
anything of use in there.  Where to from here?

Unfortunately, I don't make a transition to this network very often.

#407336#54
Date:
2007-09-25 20:02:45 UTC
From:
To:
Any thoughts on this?


On a differnet network now with a different laptop, and this time I am
trying to not request domain-name-servers, because
1) netenv is taking care of that for me,
and
2) I am intentionally trying to disable one of the domain name servers
that the dhcp server is sending me, because that DNS server is proving to
be very unreliable.

Despite it not appearing in the request line, it is still being sent to
me, and I am ending up with that dodgy DNS server still ending up in
pdnsd's configuration via resolvconf.

My thoughts are that as well as having the ability to request items from
the dhcp server, we should explicitly get the ability to blacklist
unsolicited crap the dhcp server returns back to us.  I don't *want* my
ntp servers or DNS servers to be changed from underneath me.

#407336#61
Date:
2008-03-01 07:58:21 UTC
From:
To:
retitle 407336 dhclient3: adopts dhcp server's settings despite them not being "request"ed
thanks

I have cut down the settings I want to accept from the server to a bare
minimum:
request subnet-mask, broadcast-address, time-offset, routers, interface-mtu, domain-name-servers;

As well as trying to give me ntp servers to use, which prompted this bug,
it is now giving me a domain name search list too, which resolvconf is
appending to my own list.  I'm not on the network now, so can't show the
debug behaviour, but it gives this strange looking lease with wacky expire
dates:

lease {
  interface "bond0";
  fixed-address 192.168.2.4;
  option subnet-mask 255.255.255.0;
  option routers 192.168.2.1;
  option dhcp-lease-time 4294967295;
  option dhcp-message-type 5;
  option domain-name-servers 150.203.92.5;
  option dhcp-server-identifier 192.168.2.1;
  option interface-mtu 1492;
  option domain-name "Belkin";
  renew 1 2076/03/16 05:47:04;
  rebind 1 2127/03/31 14:12:33;
  expire 6 2144/04/04 09:01:11;
}

"Belkin" ended up being appended to the search list, but I presume it came
from a pushed domain-search rather than "domain-name" option from the
server (I assume not everything sent by the server ends up in
/var/lib/dhcp3/dhclient.leases ?).

Since it is evident that dhcp servers are pushing setting not being
requested of them, perhaps it is time for the dhcp client to ignore
anything it didn't request.

#407336#68
Date:
2009-11-02 06:29:32 UTC
From:
To:
So I've picked this bug up again because I'm trying to clean up some of the
open bugs. I still cannot reproduce this in a test environment.

My understanding is that the DHCP lease file is going to contain everything
that is received from the DHCP server.

My current test was to have the DHCP server providing the ntp-servers option
and the DHCP client not requesting it.

When I *was* requesting the option, it appeared in the lease file, when I
*wasn't* it did not.

I also enabled the debug hooks and added the new_ and old_ntp_servers
variables to the list that was spat out, and when I *wasn't* requesting the
option, there these variables contained nothing (as expected).

I'll continue investigating tonight, specifically because your bug has
similarities with #553023 and I'll look into that one as well.

#407336#73
Date:
2011-04-02 08:12:08 UTC
From:
To:
It seems that the AVM Fritzbox has a DHCP server which triggers this
behavior.  Do you want me to create packet captures?