In today’s ever-evolving cyber threat landscape, many attackers no longer need to breach the perimeter to cause serious damage. Sometimes, they just need a foothold inside the network — and often that comes in the form of a rogue DHCP or DNS server. These rogue services can silently redirect traffic, bypass network access controls (NAC), enable lateral movement, and even serve as pivot points for malware deployment.
This post will explore how these attacks happen, what risks they pose, and how you can detect and prevent them — including practical tools, PowerShell/Nmap/Python detection scripts, and how the Security Arsenal SOC defends against them in real time.
Understanding the Threat: What Are Rogue DHCP and DNS Servers?
DHCP (Dynamic Host Configuration Protocol) assigns IP addresses, gateways, and DNS settings to devices joining the network.
DNS (Domain Name System) resolves hostnames (like google.com) into IP addresses.
So, what happens when a rogue device offers these services?
- A rogue DHCP server can assign malicious DNS, gateway, or IP configurations to clients.
- A rogue DNS server can redirect traffic to attacker-controlled infrastructure — facilitating phishing, malware injection, or man-in-the-middle (MitM) attacks.
- These attacks are stealthy, hard to detect, and bypass most NAC or firewall rules, since the threat is internal.
How the Attack Works
Here’s a common sequence of a rogue DHCP or DNS attack:
- Attacker connects to an internal network (via physical access, compromised endpoint, or exposed Wi-Fi).
- A rogue DHCP server is started, usually via simple tools like dhcpd, RogueDHCP, or even a Windows box running netsh.
- Nearby clients receive IP and DNS settings from the rogue DHCP instead of the trusted one (especially during reboots or IP lease renewals).
-
The rogue DHCP server:
- Assigns the attacker's device as the default gateway.
- Points DNS to a malicious resolver.
-
The attacker can now:
- Monitor all outgoing client traffic (MitM).
- Redirect users to phishing domains.
- Bypass segmentation by forging routes to internal subnets.
DNS can also be spoofed directly with rogue DNS servers, without replacing DHCP — often via tools like dnsspoof, responder, or embedded into malware.
Why This Matters
- No alerts are triggered if traditional firewalls and endpoint AVs aren’t configured to monitor rogue services.
- IoT devices, printers, and BYOD clients are often easy targets.
- Mobile employees on VPNs can be redirected silently, even when on internal Wi-Fi.
- Red teamers and real-world attackers have been known to weaponize these tactics during internal engagements.
How Security Arsenal SOC Detects and Prevents It
At Security Arsenal, our SOC continuously monitors for rogue DHCP/DNS behavior using real-time and scheduled approaches:
Real-Time Monitoring
- Zeek (formerly Bro) inspects DHCP and DNS traffic directly on the wire, flagging unauthorized sources.
- Continuous traffic capture enables detection of multiple DHCP offers, unusual DNS replies, or abnormal TTLs and query patterns.
Daily Active Sweeps
- Scheduled sweeps detect unauthorized DHCP/DNS servers using PowerShell, Nmap, or Python.
- Any unrecognized host advertising DHCP/DNS is flagged for triage or automated isolation.
Free Detection Tools and Scripts
Here are free tools and scripts you can use to monitor your own network.
PowerShell – Detect Rogue DHCP Servers
powershellCopyEdit# Finds all DHCP servers by sending a DISCOVER packet
$interfaces = Get-NetIPInterface | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.ConnectionState -eq 'Connected'}
foreach ($iface in $interfaces) {
$output = Test-DhcpServer -InterfaceAlias $iface.InterfaceAlias
Write-Host "Interface: $($iface.InterfaceAlias) | DHCP Servers: $($output.Servers)"
}
Requires admin rights. Also try: Get-DhcpServerInDC to list authorized DHCP servers (if in domain).
Nmap – Broadcast Scan for DHCP or DNS
bashCopyEdit# Discover DHCP servers nmap --script broadcast-dhcp-discover -e eth0 -p 67 10.0.0.0/24 # Discover rogue DNS responses nmap -sU -p 53 --script=dns-recursion 10.0.0.0/24
Look for unauthorized IPs responding to DHCP requests or acting as open DNS resolvers.
Python – Detect DHCP Offers
pythonCopyEditfrom scapy.all import *
def detect_dhcp(pkt):
if DHCP in pkt and pkt[DHCP].options[0][1] == 2: # DHCP Offer
server_ip = pkt[IP].src
print(f"[*] DHCP offer detected from {server_ip}")
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, store=0)
Run this from a trusted endpoint connected to the network — if multiple servers respond, you may have a rogue.
Prevention Strategies
Network Segmentation and NAC
- Use VLANs to isolate guest, IoT, and production traffic.
- Implement 802.1X authentication to restrict who can connect.
- Use switch port security (like Cisco’s ip dhcp snooping) to block unauthorized DHCP servers.
Monitoring and Baseline Auditing
- Regularly audit authorized DHCP/DNS servers.
- Use Zeek logs or a SIEM to monitor DHCP/DNS activity patterns.
- Enable alerts for unexpected MAC or IP addresses acting as DHCP servers.
Endpoint and SOC Controls
- Push firewall rules to block outbound DHCP (UDP 67) and DNS (UDP 53) from non-authorized devices.
- Configure endpoints to ignore multiple DHCP offers or to prioritize specific MAC addresses (advanced).
Summary: Detect Early, Respond Fast
Rogue DHCP and DNS attacks are silent assassins on the internal network. They require no malware, no phishing, and no exploits — just poor visibility and weak enforcement.
By using a layered approach — real-time monitoring with Zeek, daily active sweeps with Nmap, PowerShell, and Python, and policy enforcement at the switch and endpoint level — you can greatly reduce your exposure.
At Security Arsenal, our SOC catches these rogue activities in real-time, blocking attackers before damage is done. Want to learn how we can help protect your environment? Reach out today.
🛠 Need help implementing detection in your environment?
We offer free scripts and guides to get you started — or full managed detection if you want peace of mind.