DHCP Protocol

How It Works

Every device that joins a network needs at minimum: an IP address, a subnet mask, a default gateway, and DNS server addresses. DHCP (Dynamic Host Configuration Protocol) provides all of this automatically using a simple 4-packet exchange over UDP.

The DORA Process

D — Discover: The client has no IP address yet. It sends a UDP broadcast from 0.0.0.0:68 to 255.255.255.255:67. The message says: "I am MAC address AA:BB:CC:DD:EE:FF and I need an IP address." Every device on the broadcast domain hears this, but only DHCP servers respond.

O — Offer: The DHCP server checks its address pool, picks an available IP, and sends an Offer. The offer includes the proposed IP, subnet mask, lease duration, and the server's own IP. If multiple DHCP servers exist, the client may receive multiple offers.

R — Request: The client picks one offer (typically the first received) and broadcasts a Request. The broadcast is intentional — it tells all DHCP servers which offer was accepted so the others can release their reserved IPs. The Request includes the selected server's identifier.

A — Acknowledge: The selected server confirms the assignment with an ACK. This packet includes the full configuration: IP address, subnet mask, default gateway, DNS servers, domain name, NTP servers, and lease duration.

# Watch the DORA process in real time
sudo tcpdump -i eth0 -n port 67 or port 68
# 10:00:01 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request, xid 0x3a2b1c
# 10:00:01 192.168.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, xid 0x3a2b1c
# 10:00:01 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request, xid 0x3a2b1c
# 10:00:01 192.168.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, xid 0x3a2b1c

# Force a DHCP renewal on Linux
sudo dhclient -r eth0    # Release current lease
sudo dhclient eth0       # Request new lease

# On macOS
sudo ipconfig set en0 DHCP

Lease Management

DHCP leases are temporary. The client must renew before the lease expires or lose the IP. The renewal process has two stages:

• T1 (Renewal Timer): At 50% of the lease duration, the client sends a unicast DHCP Request directly to the server that assigned the lease. If the server responds with an ACK, the lease is renewed.
• T2 (Rebinding Timer): At 87.5% of the lease duration, if T1 renewal failed (server unreachable), the client broadcasts a Request to any DHCP server on the network.
• Expiry: If both T1 and T2 fail, the lease expires. The client must release the IP and start over with a Discover.

Lease Timeline (24-hour lease):
|------- T1 (12h) -------|------- T2 (21h) ---|-- Expire (24h)
| Normal use              | Try renew (unicast) | Try rebind (broadcast) | Must restart DORA

Typical lease durations:

Environment	Lease Duration	Why
Home WiFi	24 hours	Devices stay connected most of the day
Coffee shop WiFi	1-2 hours	High device turnover, limited IP pool
Enterprise wired	8-12 hours	Workday-aligned, predictable usage
Data center / cloud	Depends on platform	AWS VPC leases are effectively permanent while instance runs
IoT / sensor network	7+ days	Devices rarely change, minimize DHCP traffic

DHCP Options

The DHCP ACK carries much more than just an IP address. The most important options:

Option	Code	Purpose
Subnet Mask	1	Network mask for the assigned IP
Router (Gateway)	3	Default gateway IP address
DNS Servers	6	Recursive DNS resolver IPs
Domain Name	15	DNS search domain (e.g., corp.example.com)
Lease Time	51	How long the IP is valid
NTP Servers	42	Time synchronization servers
TFTP Server	66	Used for PXE network boot
Vendor-Specific	43	Custom options for specific vendors

# Example ISC DHCP server config (dhcpd.conf)
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;     # Pool: 101 addresses
  option routers 192.168.1.1;            # Default gateway
  option domain-name-servers 8.8.8.8, 1.1.1.1;
  option domain-name "office.example.com";
  default-lease-time 28800;              # 8 hours
  max-lease-time 86400;                  # 24 hours max

  # Static reservation by MAC address
  host printer-lobby {
    hardware ethernet 00:11:22:33:44:55;
    fixed-address 192.168.1.10;
  }
}

Production Considerations

DHCP Relay Agents

DHCP Discover is a broadcast, and broadcasts do not cross router boundaries. In a multi-VLAN network, there are two choices:

1. DHCP server per VLAN — operationally painful with many VLANs
2. DHCP relay agent — the router/switch forwards DHCP broadcasts as unicast to a central DHCP server

The relay agent sits on the local subnet, intercepts DHCP broadcasts, and forwards them as unicast UDP to the DHCP server's IP. It adds Option 82 (Relay Agent Information) so the server knows which subnet the request came from and can assign an IP from the correct pool.

# Cisco switch DHCP relay configuration
interface Vlan100
  ip address 10.0.100.1 255.255.255.0
  ip helper-address 10.0.1.50    # Central DHCP server

# Linux dhcrelay configuration
dhcrelay -i eth0 -i eth1 10.0.1.50

DHCP High Availability

A single DHCP server is a single point of failure. If it goes down, no new devices can join the network and existing leases eventually expire. Options for HA:

Split Scope (Simple): Two DHCP servers, each with half the address pool. Server A handles .100-.150, Server B handles .151-.200. Both are always active. Downside: half the pool capacity per server is wasted.

Failover (Better): ISC DHCP and Kea support active-passive failover. The primary handles all requests; the secondary monitors heartbeats and takes over if the primary fails. Lease state is synchronized between them.

Cloud-Managed (Best): In AWS, Azure, and GCP, DHCP is a platform service. It is inherently highly available — no server management required. On AWS, configure DHCP via VPC DHCP Option Sets.

DHCP Security

DHCP is completely unauthenticated. Any device can request an address, and any device can pretend to be a DHCP server. This creates two attack vectors:

Rogue DHCP Server: An attacker runs a DHCP server that hands out malicious configuration — pointing DNS to an attacker-controlled resolver, or setting a malicious gateway that intercepts traffic.

DHCP Starvation: An attacker sends thousands of DHCP Discover messages with spoofed MAC addresses, exhausting the entire address pool so legitimate devices cannot get IPs.

Defense — DHCP Snooping: A switch feature that creates a trusted/untrusted port model. Only ports connected to legitimate DHCP servers are marked as trusted. DHCP Offer and ACK packets from untrusted ports are dropped. The switch builds a binding table mapping MAC → IP → Port → VLAN, which is also used by Dynamic ARP Inspection (DAI) and IP Source Guard.

# Cisco switch DHCP snooping configuration
ip dhcp snooping
ip dhcp snooping vlan 100
interface GigabitEthernet0/1
  ip dhcp snooping trust    # Port connected to real DHCP server

# Detect rogue DHCP servers from a Linux client
sudo nmap --script broadcast-dhcp-discover -e eth0

Troubleshooting DHCP Issues

When a device cannot get an IP address, work through this checklist:

Step 1: Is the client sending Discover?

sudo tcpdump -i eth0 -n port 67 or port 68 -c 10

If no Discover packets, the problem is the client (NIC disabled, driver issue, wrong VLAN assignment).

Step 2: Is the server receiving Discover? Check the DHCP server logs. On ISC KEA: journalctl -u kea-dhcp4. If the server never sees the Discover, the problem is network path — check VLAN, trunking, and relay agent configuration.

Step 3: Is the server sending an Offer? If the server receives the Discover but does not Offer, the address pool is likely exhausted. Check dhcpd.leases or Kea's lease database for active leases.

Step 4: Does the client receive the Offer? If the Offer is sent but the client does not receive it, check for firewall rules blocking UDP 68 inbound to the client, or switch ACLs dropping the traffic.

Step 5: Lease conflict? If the client gets an IP but immediately loses connectivity, another device may already be using that IP. Enable Duplicate Address Detection — the DHCP server pings the IP before offering it (ping-check true in Kea, ping-timeout in ISC DHCP).