How to Configure dhclient to Bind Only to Localhost on UDP Port 68 in Linux Networking


10 views

When examining network services with netstat or ss, you'll often notice dhclient listening on UDP port 68 (bootpc) with a wildcard address (0.0.0.0). This is the standard behavior for DHCP clients as they need to:

# Typical dhclient listening configuration
udp        0      0 0.0.0.0:68     0.0.0.0:*              1563/dhclient

The DHCP protocol requires clients to listen on port 68 because:

  • DHCPOFFER packets may come from any DHCP server on the network
  • The client doesn't know the server's IP address initially
  • Broadcast communication is fundamental to DHCP discovery

While having an open UDP port might seem concerning, the actual risk is limited because:

# Check what can actually communicate with dhclient
sudo tcpdump -i eth0 port 68 and not src net your_network

The DHCP client only processes properly formatted DHCP responses to its own requests.

For NetworkManager-controlled interfaces, you can modify dhclient behavior through hooks:

# Create a dhclient exit hook
sudo nano /etc/dhcp/dhclient-enter-hooks.d/localhost-only

# Add these contents:
if [ "$reason" = "BOUND" ] || [ "$reason" = "RENEW" ] || [ "$reason" = "REBIND" ]; then
    ip route del 255.255.255.255/32 dev $interface
    ip route add 255.255.255.255/32 dev $interface scope link
fi

If you don't need DHCP at all, consider static IP configuration in NetworkManager:

# Example connection configuration
nmcli con add con-name "static-eth0" ifname eth0 type ethernet \
    ip4 192.168.1.100/24 gw4 192.168.1.1 \
    dns 8.8.8.8

For systems where security is paramount, consider kernel-level packet filtering:

# iptables rule to restrict DHCP traffic
sudo iptables -A INPUT -i eth0 -p udp --dport 68 -m state \
    --state NEW,ESTABLISHED -j DROP

After making changes, verify the binding:

ss -ulnp | grep 68
# Should show 127.0.0.1:68 if successfully restricted

The dhclient daemon typically binds to 0.0.0.0:68 (all interfaces) by default when requesting DHCP configuration. This is necessary for proper DHCP operation as the client needs to receive broadcast responses from DHCP servers before establishing an IP address.

# Typical dhclient socket binding
Proto Recv-Q Send-Q Local Address  Foreign Address  State  PID/Program name
udp        0      0 0.0.0.0:68     0.0.0.0:*               1563/dhclient

While having UDP port 68 open globally is standard for DHCP clients, security-conscious administrators might want to restrict this when:

  • Running on servers with multiple network interfaces
  • Operating in environments with strict security requirements
  • Using NetworkManager for primary network configuration

There are several approaches to handle this situation:

Option 1: NetworkManager Integration

If using NetworkManager (common on desktop systems), you can disable dhclient entirely:

# Edit NetworkManager.conf
[main]
dhcp=dhclient

Change to:

[main]
dhcp=internal

Option 2: Custom dhclient Script

Create a wrapper script that modifies the binding behavior:

#!/bin/bash
# /usr/local/sbin/dhclient-wrapper

# First release the existing lease
dhclient -r "$@"

# Then request new lease binding only to localhost
dhclient -sf /etc/dhcp/dhclient-local.conf "$@"

Then create a custom config file:

# /etc/dhcp/dhclient-local.conf
interface "eth0" {
  send host-name "yourhostname";
  send dhcp-client-identifier "yourid";
  script "/etc/dhcp/dhclient-script";
  supersede interface "lo";
}

Option 3: Firewall Restrictions

Use iptables/nftables to restrict access:

# iptables example
iptables -A INPUT -p udp --dport 68 -j DROP
iptables -A INPUT -p udp --dport 68 -i lo -j ACCEPT

After making changes, verify with:

ss -ulnp | grep 68
# or
netstat -ulnp | grep 68

Remember that DHCP requires specific network access patterns, so test thoroughly in your environment before deploying to production.