Finding Rogue DHCP Servers

Finding rogue DHCP servers on LAN

Question: How can I find a rogue DHCP server on my network?

My Answer:

A common way to locate a rogue DHCP server on yoru network is to use a tool like Wireshark, DHCP explorer, and DHCP Probe. Those approaches are good for a one time or periodic check. However, I’d recommend looking into adding DHCP Snooping on your network. This feature will provide constant protection from rogue DHCP servers on the network, and is supported by many different hardware vendors.

Here’s the feature set as indicated in the Cisco docs.

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.

  • Rate-limits DHCP traffic from trusted and untrusted sources.

  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

  • Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Related:
Juniper docs
HP Procurve Docs