A DHCP (Dynamic Host Configuration Protocol) server is a critical networking service used for the automatic assignment of IP addresses and other network parameters to devices on a local network.
This guide covers the absolute minimum steps required to install and configure a simple, secure DHCP server on enterprise-grade CentOS 7.
1. Prerequisites & System Design
This walkthrough assumes a freshly installed CentOS 7 server with a configured static IP address.
For storage, this virtual machine has two separate disks provisioned. Disk 1 is dedicated to the OS, while Disk 2 will be used to host local yum repositories later.
Following the security recommendations from CIS Benchmarking Standards, the storage partitions are carved out using LVM as follows:
Disk 1 (80 GB) — Operating System
| Mount Point | Size |
|---|---|
/ | 20 GB |
swap | 4 GB |
/boot | 1 GB |
/tmp | 8 GB |
/home | 15 GB |
/var | 15 GB |
/var/log | 14 GB |
/var/log/audit | 8 GB |
Disk 2 (60 GB) — Custom Repositories & Web Assets
| Mount Point | Size |
|---|---|
/var/www/ | 60 GB |
2. Base OS & Environment Setup
Enable EPEL Repository
Install the Extra Packages for Enterprise Linux (EPEL) repository. This repository provides additional debugging tools and security plugins we will use later:
yum install epel-release -y
Update the System
Bring all package dependencies up to date:
yum update -y
Disable SELinux
To ensure configuration changes apply cleanly, disable SELinux by editing the config file:
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
Reboot the machine for changes to take effect:
reboot
Install Shell Helpers (Optional)
Install shell completion helpers and index databases so file searches are fast:
yum install bash-completion mlocate -y && updatedb
source /etc/profile.d/bash_completion.sh
3. Installing the DHCP Package
Now, install the core DHCP packages:
yum install dhcp.x86_64 -y
4. Firewall & Service Configuration
Open Firewall Services
Allow incoming DHCP traffic in your local firewall:
firewall-cmd --add-service=dhcp --permanent
firewall-cmd --reload
Verify Opened Services
Confirm that the dhcp service is correctly listed and accessible:
firewall-cmd --list-all
Enable Service on Startup
Set the DHCP daemon to start automatically at boot:
systemctl enable dhcpd.service
5. Setting Up the DHCP Configuration
Now, populate the configuration file /etc/dhcp/dhcpd.conf.
This configuration is set to be authoritative and uses an explicit whitelisting group. Clients whose MAC addresses are listed below will receive the same static IP addresses every time they ask for a lease:
cat > /etc/dhcp/dhcpd.conf <<EOF
#------------------------------------------------------
authoritative;
default-lease-time 600;
max-lease-time 7200;
option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "induslevel.com";
option ntp-servers lhr-ntp1.induslevel.com,lhr-ntp2.induslevel.com;
subnet 172.16.99.0 netmask 255.255.255.0 {
option broadcast-address 172.16.99.255;
option routers 172.16.99.1;
filename "/pxelinux.0";
pool {
range 172.16.99.150 172.16.99.230;
}
group {
next-server lhr-pxe1.induslevel.com;
host tclient110 {
hardware ethernet 00:0c:29:d3:a1:d1;
fixed-address 172.16.99.110;
option host-name "tclient110.induslevel.local";
}
host tclient120 {
hardware ethernet 00:21:cc:6c:2e:42;
fixed-address 172.16.99.120;
option host-name "tclient120.induslevel.local";
}
}
}
deny unknown-clients;
EOF
6. Explaining the Config Variables
Here is a brief description of the key keywords used in your new dhcpd.conf:
| Keyword / Option | Description |
|---|---|
authoritative | Indicates that the DHCP server should send DHCPNAK messages to reject mis-configured clients. |
default-lease-time | The default duration (in seconds) of a lease if the client does not request a specific time. |
max-lease-time | The maximum lease time (in seconds) allowed for any client. |
option domain-name-servers | Lists IP addresses of DNS servers available to clients. |
option domain-name | The DNS domain name clients should append when resolving unqualified hostnames. |
option ntp-servers | Lists IP addresses/hostnames of NTP servers to synchronize time. |
subnet | Declares network boundaries; required for each subnet even if no dynamic ranges are set. |
option broadcast-address | Sets the broadcast IP address used on the client's subnet. |
option routers | Defines gateway routers for the clients (default gateway). |
filename | Defines the name of the bootloader file loaded by PXE clients over TFTP. |
pool | Defines an allocation boundary inside the subnet scope. |
range | Specifies the range of dynamic IP addresses available for temporary leases. |
group | Logical scoping mechanism that groups hosts for sharing variables or parameters. |
next-server | Defines the address of the server to fetch the initial boot file from (PXE seed). |
host | Defines variables specific to a unique hardware host. |
hardware ethernet | Specifies the MAC address of the target client NIC. |
fixed-address | Assigns a permanent IP address to a specific hostname/MAC match. |
option host-name | Explicit hostname given to the client. |
deny unknown-clients | Prevents the server from offering dynamic leases to unlisted MAC addresses. |
7. Starting the Service
Now, start the DHCP service and confirm that it is running correctly:
systemctl start dhcpd.service && systemctl status dhcpd.service
8. Testing Configuration Correctness
To test that your new server responds to DHCP requests and returns configured IP leases correctly, use Nagios' check_dhcp plugin (available in EPEL):
yum install nagios-plugins-dhcp.x86_64 -y
Assuming your DHCP server is running on the static IP 172.16.99.254, simulate a dynamic lease request from client interface ens192 with a whitelisted MAC:
/usr/lib64/nagios/plugins/check_dhcp -i ens192 -m 00:0c:29:d3:a1:d1 -s 172.16.99.254
If the query succeeds, the plugin returns a success message, indicating your server is correctly responding to queries and validating hardware profiles!
In my next article, I will cover how to set up and configure a TFTP server to serve the PXE boot files, enabling unattended OS installations and security hardening.