December 2008
In an unfirewalled network, we are faced with the threat of zombies running 'shadow' DHCP servers: they give out IP addresses exactly like the proper DHCP server would, but they forge the domain-names-server to be outside of our network. This has the effect of giving the intruders control over DNS lookup on our DNS clients, which may facilitate phishing and MITM attacks.
Our Linux PCs can be told to ignore the DNS information they receive via DHCP and use statically configured servers:
Open /etc/dhcp3/dhclient.conf
and edit:
supersede domain-name-serversip-of-first-dns-server
,ip-of-second-dns-server
;
Tcpdumping
DHCP info is done like this:
tcpdump -i eth0 -len -s 1500 port bootps or port bootpc and not host ip-of-proper-DHCP-server
but this doesn't show DHCPOFFER
s on a switched network, so unless one controls the switches, it's pretty useless.