Forcing a static nameserver in the face of rogue DHCP servers

Jurjen Bokma

December 2008

In an unfirewalled network, we are faced with the threat of zombies running 'shadow' DHCP servers: they give out IP addresses exactly like the proper DHCP server would, but they forge the domain-names-server to be outside of our network. This has the effect of giving the intruders control over DNS lookup on our DNS clients, which may facilitate phishing and MITM attacks.

Our Linux PCs can be told to ignore the DNS information they receive via DHCP and use statically configured servers:

Tcpdumping DHCP info is done like this: tcpdump -i eth0 -len -s 1500 port bootps or port bootpc and not host ip-of-proper-DHCP-server but this doesn't show DHCPOFFERs on a switched network, so unless one controls the switches, it's pretty useless.