How do I find if there is a rogue DHCP server on my Network?

What's the best approach towards determining if I have a rogue DHCP server inside my network?

I'm wondering how most admins approach these kinds of problems. I found DHCP Probe through searching, and thought about trying it out. Has anyone had experience with it? (I would like to know before taking the time to compile it and install).

Do you know any useful tools or best-practices towards finding rogue DHCP servers?

Solution 1:

One simple method is to simply run a sniffer like tcpdump/wireshark on a computer and send out a DHCP request. If you see any offers other then from your real DHCP server then you know you have a problem.

Solution 2:

To recap and add to some of the other answers:

Temporarily disable your production DHCP server and see if other servers respond.

You can get the IP address of the server by running ipconfig /all on a windows machine, and then you can get the MAC address by looking for that IP address using arp -a.

On a Mac, run ipconfig getpacket en0 (or en1). See http://www.macosxhints.com/article.php?story=20060124152826491.

The DHCP server information is usually in /var/log/messages. sudo grep -i dhcp /var/log/messages*

Disabling your production DHCP server might not be a good option, of course.

Use a tool that specifically looks for rogue DHCP servers

See http://en.wikipedia.org/wiki/Rogue_DHCP for a list of tools (many of which were listed in other responses).

Configure switches to block DHCP offers

Most managed switches can be configured to prevent rogue DHCP servers:

• http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html

• http://www.juniper.net/techpubs/en_US/junos9.2/topics/concept/port-security-dhcp-snooping.html

Solution 3:

dhcpdump, which takes input form tcpdump and shows only DHCP related packets. Helped me find rootkited Windows, posing as fake DHCP in our LAN.