How can we solve the problems caused by illegal DHCP servers?

In our network construction, security has always been the top priority. Do you know the impact of illegal DHCP servers? So what kind of illegal DHCP server problems will happen? Here we will mainly explain how to solve the problem of illegal DHCP servers on the LAN.

Recently, some computers in the company frequently fail to access the Internet. These computers automatically obtain IP addresses. However, after checking, I found that the obtained Gateway addresses are incorrect, generally, DHCP does not send the wrong gateway to the client computer. After I release the obtained Network Parameters Using ipconfig/release, I can use ipconfig/renew to obtain the actual gateway address, and most of the obtained data is still incorrect. So I asserted that there must be other DHCP servers in the LAN, also known as illegal DHCP servers. Why can't the network parameters allocated by the real DHCP server be correctly transmitted to the client?

First, let's take a look at the DHCP service mechanism:

Generally, the company has a DHCP server to provide necessary network parameter information to the client computer, such as IP addresses, subnet masks, gateways, and DNS, in many cases, routers can take on this responsibility. Each time the client computer starts, it will send a broadcast packet to the network to find the DHCP server, provided that the computer is set to automatically obtain the IP address), the broadcast packet is randomly sent to the network, when a DHCP server receives the broadcast packet, it sends a Response Message to the computer with the source MAC address of the packet, and extracts an IP address from the address pool and assigns it to the computer.

Why is illegal DHCP considered legal by the client computer?

According to the DHCP service mechanism, the broadcast packets sent by the client computer after it is started will be sent to all the devices in the network. There is no rule in whether the client is a valid DHCP server or an illegal DHCP server to answer the requests first, client computers do not have the ability to distinguish between valid and illegal computers. In this way, the network is completely disrupted. machines that can normally access the Internet can no longer connect to intelnet.

Solution:

1. ipconfig/release and ipconfig/renew

We can temporarily solve this problem by repeatedly trying to send broadcast packets until the client can obtain the real address. That is, you first use ipconfig/release to release illegal network data, and then use ipconfig/renew to obtain network parameters. If you still get error information, try/release and/renew again until the correct information is obtained.

Reminder: This method is not permanent, and the number of repeated attempts is not guaranteed. In addition, when the DHCP lease expires, the client computer needs to search for information from the DHCP server again, and the fault will still occur.

2. filter illegal DHCP servers by "Domain"

Add a valid DHCP server to the Active Directory. The principle is that the DHCP Server that is not added to the domain sends a DHCPINFORM query packet to other DHCP servers in the network before the corresponding request. If other DHCP servers have a response, therefore, the DHCP Server cannot meet the customer's requirements. That is to say, the priority of the DHCP Server that is added to the domain in the network is higher than that of the DHCP Server that is not added to the domain. In this way, if the valid DHCP address exists, the invalid IP address cannot be used.

Note: although this method works well, it requires domain support. You need to know that "domain" is very useful to many small and medium-sized enterprises. Basically, working groups are enough to deal with daily work. Therefore, this method works well, but it is not suitable for the actual situation.

3. port on the routing switch device

The DHCP service mainly uses UDP port 67 and port 68. The DHCP server uses port 68 to respond to data packets and port 67 to send requests to the client. Therefore, we can keep port 68 of the server on the vro and close port 68 of the client to filter out illegal DHCP servers.

Note: if there are many computers, it is inconvenient to operate and will increase the burden on the router and affect the network speed.

4. Find out the illegal DHCP server and block it.

The DHCP server also acts as a gateway. If an illegal gateway address is obtained, the IP address of the invalid DHCP server is known. Ping the ip address to check the Host Name and use the arp host name to find the MAC address. Once you know the MAC address, you can block the MAC address in the vro or block port 68 of the MAC address. You can do anything else. You can find all the black hands behind the scenes. I use these 4th methods.