How to Blacklist Specific MAC Addresses in dhcpd.conf: Preventing DHCP Leases for Unwanted Devices


2 views

When managing a DHCP server, you might encounter situations where you need to prevent certain devices from obtaining IP addresses. The ISC DHCP server (dhcpd) provides mechanisms to filter clients based on their MAC addresses.

Here's the fundamental way to ignore a specific MAC address:

host blacklisted-device {
    hardware ethernet 00:11:22:33:44:55;
    deny booting;
}

For multiple devices, you can either list them individually or use class matching for patterns:

# Individual entries
host unwanted1 {
    hardware ethernet aa:bb:cc:dd:ee:ff;
    deny booting;
}

host unwanted2 {
    hardware ethernet 11:22:33:44:55:66;
    deny booting;
}

While dhcpd doesn't support wildcards in the traditional sense, you can use class matching:

class "blacklisted-devices" {
    match if substring(hardware, 1, 3) = 00:0d:;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
    pool {
        deny members of "blacklisted-devices";
        range 192.168.1.100 192.168.1.200;
    }
}

For more complex scenarios, you might want to maintain separate files:

# In dhcpd.conf
include "/etc/dhcp/blacklisted-macs.conf";

# In blacklisted-macs.conf
host unwanted-device1 { hardware ethernet aa:bb:cc:dd:ee:ff; deny booting; }
host unwanted-device2 { hardware ethernet 11:22:33:44:55:66; deny booting; }

After making changes, always test your configuration:

sudo dhcpd -t -cf /etc/dhcp/dhcpd.conf
sudo systemctl restart isc-dhcp-server

If devices are still getting leases:

  • Check for typos in MAC addresses
  • Verify the configuration file is being loaded
  • Ensure there are no conflicting allow statements
  • Check server logs for errors

When administering an ISC DHCP server, you might encounter situations where you need to exclude certain devices based on their MAC addresses. This could be for security reasons, to prevent unauthorized devices from obtaining leases, or to reserve specific address ranges.

The correct way to block MAC addresses in dhcpd.conf is using the deny statement within a class declaration:

class "blacklisted-macs" {
    match if substring(hardware, 1, 3) = 00:01:02;
    deny booting;
}

For blocking a range of MAC addresses (like vendor prefixes), use:

class "block-vendor" {
    match if substring(hardware, 1, 3) = d0:0d:00;
    deny booting;
}

Another approach is to assign blocked MACs to an empty pool:

subnet 10.0.0.0 netmask 255.255.255.0 {
    pool {
        range 10.0.0.10 10.0.0.100;
        deny members of "blacklisted-macs";
    }
}

After modifying dhcpd.conf, always test with:

dhcpd -t -cf /etc/dhcp/dhcpd.conf
service dhcpd restart

Here's a full configuration example blocking multiple MAC patterns:

# Global blacklist class
class "blacklist" {
    # Block specific MACs
    match if (hardware = 00:11:22:33:44:55) or
             (hardware = aa:bb:cc:dd:ee:ff);
    
    # Block vendor prefixes
    match if substring(hardware, 1, 3) = d0:0d:00 or
             substring(hardware, 1, 3) = 00:23:15;
    
    deny booting;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    deny members of "blacklist";
}