enquiry on validation of dhcp offered addres

ching lsching17 at gmail.com
Tue Apr 24 12:00:58 UTC 2012

On Tuesday, April 24, 2012 02:16 PM, dhcp-users-request at lists.isc.org 
>> I will look for other way to prevent routing intranet traffic to outside.
>>> Hang on ... you never said anything about that before !
>>> If all you are interested in is preventing routing certain traffic
>>> outside of your network then just apply a few firewall rules to block
>>> it. That too is nothing to do with DHCP.
>> This partially solve the problem as dropping internal traffic can result
>> in a denial of service attack.
> You could add firewall rules to block outbound traffic on your WAN
> interface to addresses that match your internal network. This is called
> anti-spoofing, and is (or used to be) common practise when setting up a
> firewall. So, if someone outside your LAN pretends to have an internal
> IP you ignore that. That's not denial of service, since it's only going
> to block invalid IP destinations.

if internal server's ip is and the invalid wan 

if firewall is not blocking, then a faked server may be waiting at the 
WAN interface, ready to receive confidential information.
if firewall is blocking, then the real server may have a downtime (all traffic are routed to WAN interface and then dropped), 
resulting in a denial of service.

More information about the dhcp-users mailing list