We’re shipping rogue DHCP detection.
A second server can make itself your gateway the moment you connect — no ARP spoofing required. Now we watch for it.
Our sixth detector closes a cleaner path to the middleman: rogue DHCP server detection. It passively watches the DHCP replies on your network and flags any server that isn’t your real gateway trying to hand you its own gateway and DNS — on Windows, free.
No cache to poison, no forged replies to maintain. Your device is simply told the wrong gateway.
Middleman without the ARP
When your device joins a network it broadcasts “who gives out addresses here?” A rogue DHCP server answers too, offering itself as your gateway and its own DNS. If its reply wins, you send all your traffic through the attacker — a cleaner route than ARP spoofing, with nothing to keep poisoning.
dns → 1.1.1.1
dns → 10.0.0.9
A passive, rate-limited watch
The detector passively watches the OFFER and ACK messages DHCP servers send, and knows which server is your legitimate gateway. A reply from any other server IP or MAC, pushing a different gateway or DNS, is flagged as a rogue DHCP server. The watch adds no traffic of its own, is rate-limited per server so a chatty misconfigured box doesn’t flood you, and steps aside cleanly where the capture driver isn’t available.
Ciphertext is all it forwards
Even when the attacker’s server has made itself your gateway and DNS, routing your traffic through the encrypted tunnel means all it gets to forward is ciphertext it can’t read or redirect.
Detection is free
Rogue DHCP detection ships in the free version and always will. Seeing that the network’s own plumbing has been compromised — and which server did it — is exactly the kind of visibility that shouldn’t be paywalled.
Read more: how rogue DHCP works · how to detect it yourself · the MITM coverage post