Introduction
DHCP (Dynamic Host Configuration Protocol) is the backbone of automated network configuration in modern networks. Every device that joins a network — from laptops and phones to IoT sensors and cloud instances — typically receives its IP address, subnet mask, gateway, and DNS servers through DHCP without any manual intervention.
This guide covers the DORA lease mechanics, DHCPv6 operation, ISC Kea and other modern server implementations, security threats, and integration with cloud and container environments.
What is DHCP?
DHCP uses a client-server model where the DHCP server leases IP addresses to clients for a configurable duration.
Key Features
- Automatic IP Assignment: Devices receive an IP address on boot with zero manual intervention. Addresses are drawn from configurable pools per subnet.
- Centralized Management: All IP configuration — subnet masks, gateways, DNS servers, NTP servers — is managed from a single server, not per-device.
- Lease Management: Addresses are temporary by default. Expired leases return to the pool for reuse, preventing address exhaustion.
- Option Propagation: DHCP delivers auxiliary configuration (DNS, domain search, NTP, proxy PAC files) alongside the IP lease via DHCP options.
- Dynamic DNS Integration: DHCP can register client hostnames with DNS servers, keeping A/AAAA and PTR records synchronized with lease state.
Lease Process (DORA)
Four-Step Process
sequenceDiagram
participant C as DHCP Client
participant S as DHCP Server
C->>S: DHCPDISCOVER (broadcast)
Note right of C: "Is there a DHCP server?"
S-->>C: DHCPOFFER (available IP)
Note left of S: "Use 192.168.1.100?"
C->>S: DHCPREQUEST (requests offered IP)
Note right of C: "Yes, I want 192.168.1.100"
S-->>C: DHCPACK (lease confirmed)
Note left of S: "Confirmed, lease starts now"
Lease Renewal and Rebinding
Clients do not wait for the lease to expire before renewing:
- T1 (Renewal): At 50% of lease time, the client sends a unicast DHCPREQUEST directly to the server that granted the lease. If the server responds with DHCPACK, the lease timer resets.
- T2 (Rebinding): At 87.5% of lease time, if the original server has not responded, the client broadcasts DHCPREQUEST to any server. Any available server may respond with DHCPACK to extend the lease.
- Expiry: If no server responds by lease end, the client relinquishes the IP and returns to DISCOVER state.
This staggered renewal mechanism prevents mass renewal storms while ensuring clients do not lose connectivity if a single server fails.
Message Types
| Type | Code | Description |
|---|---|---|
| DHCPDISCOVER | 1 | Client broadcasts to find servers |
| DHCPOFFER | 2 | Server offers IP |
| DHCPREQUEST | 3 | Client requests IP |
| DHCPACK | 4 | Server confirms |
| DHCPNAK | 5 | Server denies |
| DHCPRELEASE | 6 | Client releases IP |
| DHCPINFORM | 7 | Client has IP, requests info |
DHCP Relay Agent
When clients and servers reside on different subnets, DHCP broadcast packets cannot cross routers. A DHCP relay agent (usually configured on the router or switch) forwards DISCOVER/REQUEST messages to the server and relays OFFER/ACK back to the client.
# Cisco IOS relay configuration
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.0.0.5 # DHCP server IP
Without relay agents, every subnet would need its own DHCP server. The relay introduces the giaddr (gateway IP address) field in the DHCP packet, allowing the server to select the correct pool for the client’s subnet.
Configuration
ISC DHCP Server
# /etc/dhcp/dhcpd.conf
# Global options
option domain-name "example.com";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
# Subnet declaration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
}
# Reserved addresses
host printer {
hardware ethernet 00:11:22:33:44:55;
fixed-address 192.168.1.50;
}
Common Options
# DNS servers
option domain-name-servers 8.8.8.8, 8.8.4.4;
# Router/Gateway
option routers 192.168.1.1;
# Subnet mask
option subnet-mask 255.255.255.0;
# Broadcast address
option broadcast-address 192.168.1.255;
# NTP servers
option ntp-servers 0.pool.ntp.org;
# VLAN
option VLAN-ID 100;
DHCP options are defined in RFC 2132. Each option carries a code (1 for subnet mask, 3 for router, 6 for DNS server, 42 for NTP, etc.) and a value. Most network stacks honor roughly 60 standard options. For deeper coverage of DNS integration, see our DNS Deep Dive.
IPv6 DHCP (DHCPv6)
# /etc/dhcp/dhcpd6.conf
# Stateful DHCPv6
subnet6 2001:db8::/32 {
range6 2001:db8::1000 2001:db8::2000;
option dhcp6.name-servers 2001:db8::1;
option dhcp6.domain-search "example.com";
}
# Stateless (SLAAC + RDNSS)
# Clients use SLAAC for address, DHCP for options
IPv6 introduces two DHCP modes:
- Stateful DHCPv6: The server assigns addresses and options, similar to DHCPv4.
- Stateless DHCPv6 (SLAAC + RDNSS): Clients self-assign addresses via SLAAC (Stateless Address Autoconfiguration) and use DHCP only for options (DNS, domain search). This is the recommended approach for most networks.
As of early 2026, IPv6 adoption reached approximately 45% of global internet traffic, with projections to cross 65% by 2030. Enterprises operating dual-stack environments should deploy DHCPv6 alongside DHCP for consistency. The IETF is also progressing the “IPv6-Mostly” (6mops) draft, defining operational practices for networks that run IPv6 as the primary protocol with IPv4 as a secondary service.
Python DHCP Client
import socket
import struct
def build_dhcp_discover():
"""Build a minimal DHCPDISCOVER packet."""
# DHCP frame structure (simplified)
op = 1 # Boot request
htype = 1 # Ethernet
hlen = 6 # MAC length
hops = 0
xid = 0x12345678
secs = 0
flags = 0x8000 # Broadcast
ciaddr = 0
yiaddr = 0
siaddr = 0
giaddr = 0
chaddr = bytes([0x00, 0x11, 0x22, 0x33, 0x44, 0x55])
sname = b''
file = b''
# Fixed header
header = struct.pack(
'!BBBBIHHHIIII16s64s128s',
op, htype, hlen, hops, xid, secs, flags,
ciaddr, yiaddr, siaddr, giaddr,
chaddr.ljust(16, b'\x00'),
sname.ljust(64, b'\x00'),
file.ljust(128, b'\x00')
)
# Magic cookie + DHCP message type option (53 = DISCOVER)
magic = b'\x63\x82\x53\x63'
options = b'\x35\x01\x01' # Option 53, len 1, value 1=DISCOVER
options += b'\xff' # End option
return header + magic + options
For packet-level analysis of DHCP traffic, see our Network Traffic Analysis Guide.
Best Practices
Lease Times
- Data centers / servers: Use static reservations (infinite or very long leases). Servers should never depend on DHCP lease renewal for availability.
- Enterprise LAN: 8-24 hours balances renewal overhead with address recovery after devices leave.
- Wi-Fi / guest networks: 30-60 minutes. Mobile devices churn frequently; short leases ensure pools do not exhaust.
- IoT / temporary devices: 10-30 minutes. High-churn environments benefit from rapid address recycling.
Reservations
Reserve addresses by MAC for infrastructure devices (printers, APs, cameras, VoIP phones). This gives you the management benefits of DHCP (centralized, documented) with the predictability of static IPs.
Redundancy
Run at least two DHCP servers and split the pool so each server owns a non-overlapping range. Configure both as authoritative so a client can renew with either if one fails.
Monitoring and Logging
Log all DHCP transactions to a centralized system (syslog, ELK, Loki). Alert on:
- Pool exhaustion (no free addresses in any range)
- DHCPNAK spikes (possible misconfiguration or rogue server activity)
- Unrecognized MAC addresses requesting leases (potential unauthorized access)
For a broader approach to segmentation, see our Network Segmentation and VLAN Best Practices Guide.
Modern DHCP Implementations
ISC Kea
{
"Dhcp4": {
"interfaces-config": {
"interfaces": ["eth0"]
},
"lease-database": {
"type": "mysql",
"host": "localhost",
"name": "kea_lease",
"user": "kea",
"password": "password"
},
"subnet4": [
{
"subnet": "192.168.1.0/24",
"pools": [ { "pool": "192.168.1.100 - 192.168.1.200" } ],
"option-data": [
{
"name": "routers",
"data": "192.168.1.1"
},
{
"name": "domain-name-servers",
"data": "8.8.8.8, 8.8.4.4"
}
]
}
]
}
}
ISC Kea is the modern successor to ISC DHCP. It features a REST API for dynamic configuration, database-backed lease storage (MySQL, PostgreSQL, memfile), and native hooks for DDNS, host reservations, and forensic logging.
In 2025, ISC open-sourced many formerly commercial Kea hook libraries, making high-availability, flex-identifier, and forensic-logging hooks freely available. Kea 2026 development plans include:
- Active Leasequery — the last major RFC feature not yet supported, enabling external systems to query active leases in real time
- Blast Radius vulnerability fix — addressing a well-known protocol-level vulnerability that can propagate DHCP failures across a failover pair
- Improved interface detection and high-traffic overflow handling
- OAuth authentication and role-based authorization via Stork (ISC’s management dashboard)
- SBOM generation with SLSA documentation for supply chain security
- KeaMA migration tool updates to help remaining ISC DHCP users transition
OpenWrt DHCP Configuration
# /etc/config/network
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,8.8.8.8,8.8.4.4'
list dhcp_option '3,192.168.1.1'
Docker DHCP
# Docker networks can use DHCP
networks:
dhcp-network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
ip_range: 172.20.10.0/24
DHCP Security
Rogue DHCP Detection
An unauthorized DHCP server on your network can assign malicious gateway or DNS addresses, enabling man-in-the-middle attacks. Detect rogue servers by listening for unsolicited DHCPOFFER packets:
# Python script to detect rogue DHCP servers
import socket
import struct
def detect_rogue_dhcp():
"""Monitor for unauthorized DHCP servers"""
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('', 68))
known_servers = ['192.168.1.1'] # Authorized servers
while True:
data, addr = sock.recvfrom(4096)
if addr[0] not in known_servers:
print(f"WARNING: Possible rogue DHCP server from {addr[0]}")
DHCP Starvation Attacks
A DHCP starvation attack floods the server with DHCPDISCOVER messages using spoofed MAC addresses, exhausting the address pool so legitimate clients cannot obtain IPs. Once the pool is depleted, an attacker can introduce a rogue DHCP server to distribute malicious configuration.
Mitigations:
- Port security — limit the number of MAC addresses per switch port
- DHCP rate limiting — restrict the number of DHCP messages per second per port
- DHCP snooping — combined with rate limiting, prevents both starvation and rogue servers
TunnelVision Attack (VPN Decloaking)
Disclosed in 2024, the TunnelVision (CVE-2024-3661) attack exploits DHCP to bypass VPN encryption. The attacker, acting as a rogue DHCP server, sets the client’s gateway to their own machine while keeping the VPN tunnel alive. All non-VPN traffic routes through the attacker, effectively decloaking the VPN. This attack works because many VPN implementations do not adequately isolate the DHCP-managed physical interface from the VPN tunnel interface.
Mitigation requires configuring the VPN client to bind to a specific network interface and applying DHCP snooping on the access layer to prevent rogue DHCP servers from operating.
DHCP Snooping
DHCP snooping is a switch-level security feature that filters DHCP messages by port. Trusted ports (uplink to DHCP server) forward all DHCP messages; untrusted ports (client-facing) only forward DHCPREQUEST and DHCPDECLINE, dropping OFFER and ACK from unauthorized sources.
# Cisco switch DHCP snooping configuration
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping information option
interface GigabitEthernet1/0/1
ip dhcp snooping trust
Troubleshooting DHCP
Common Issues
# Linux DHCP client troubleshooting
# Check DHCP lease
sudo dhclient -v eth0
# Release and renew
sudo dhclient -r eth0
sudo dhclient eth0
# Check lease file
cat /var/lib/dhcp/dhclient.leases
# Debug DHCP
sudo dhclient -d eth0
Note: Microsoft’s June 2025 security updates (KB5040434 and related) caused the Windows DHCP Server service to intermittently stop responding on Server 2016/2019/2022. If you encounter DHCP failures after Windows updates, verify the DHCP service state and review the System event log for DHCPServer source entries.
Packet Capture
# Wireshark filter for DHCP
# Display filter: bootp
# Capture DHCP traffic
sudo tcpdump -i eth0 -nn port 67 or port 68
See the Network Troubleshooting Complete Guide for a structured approach to diagnosing network issues.
DHCP in Cloud Environments
AWS VPC DHCP
{
"DhcpOptions": {
"DhcpConfigurations": [
{
"Key": "domain-name-servers",
"Values": ["AmazonProvidedDNS"]
},
{
"Key": "ntp-servers",
"Values": ["169.254.169.123"]
}
]
}
}
Kubernetes CNI DHCP
{
"cniVersion": "0.3.1",
"type": "dhcp",
"capabilities": {
"dns": true
}
}
Conclusion
DHCP is essential for efficient network management, reducing manual configuration and enabling centralized IP address management. In 2026, DHCP continues to evolve with better security features, cloud integration, and automation capabilities.
Key takeaways:
- Understand the DORA process and T1/T2 renewal mechanics for troubleshooting
- Use DHCP reservations for infrastructure devices
- Implement DHCP snooping and rogue server detection to prevent attacks
- Leverage modern DHCP servers like ISC Kea with API-driven management
- Monitor and log DHCP activity for capacity planning and security auditing
Resources
- RFC 2131 - DHCP - Core DHCP specification
- RFC 2132 - DHCP Options - Option definitions
- RFC 8415 - DHCPv6 - IPv6 DHCP specification
- ISC Kea DHCP - Modern open-source DHCP server
- ISC 2025 Stork, Kea, and DHCP Development Report - ISC roadmap and 2026 plans
- TunnelVision Attack (CVE-2024-3661) - VPN decloaking via DHCP
- DHCP Snooping Configuration Guide (Cisco)
Comments