How to find the DHCP server on a network

Tue May 19 20:05:55 UTC 2009

John Tabasz (jtabasz) wrote:
> One of the networks I am responsible for has a DHCP server that is 
> giving out an address already assigned to another host. I want to 
> locate this DHCP server and investigate it as a rogue server.
> Can someone suggest a clean way to identify the DHCP servers on a 
> network?
>  
> Thanks,
>  
> John
> ------------------------------------------------------------------------
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-user

On our campus, the reasons for rogues revolved initially on 
proliferation of SOHO class NAT's in offices, and hosts bridging one 
interface (wireless) to another.

The only way to identify the DHCP servers on the network is to listen 
for the responses and note the source IP address and the source MAC 
address;.. likely this will be with a judicious use of a sniffer, snoop, 
tshark, ethereal, etc..  Once the rogue is located, new configurations 
can be rapidly applied with a clue-by-four tool.

We take a different approach... address tracking of physical location 
(jack), switch/port, MAC address, IP address as a session tuple to 
locate offenders in case the need arises, and we implement edge filters 
to disable dhcp server responses from all but a known set of ports.  
This doesn't involve exotic dhcp snooping.

With vendor 'C', the edge filter is pretty straight forward.   I am sure 
that edge filtering is straightforward on most switching platforms.

ip access-list extended Access_IN
 remark * Standard Rogue DHCP Servers from customers filter *
 deny   udp any eq bootps any log
[....]
 remark * let any "real"  address out.
 permit ip any any

interface GigabitEthernetx/x/x
  ip access-group Access_IN in

Tim

-- 
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP