/ ANNOUNCEMENT — MAY 20, 2026

We’re shipping rogue DHCP detection.

A second server can make itself your gateway the moment you connect — no ARP spoofing required. Now we watch for it.

Our sixth detector closes a cleaner path to the middleman: rogue DHCP server detection. It passively watches the DHCP replies on your network and flags any server that isn’t your real gateway trying to hand you its own gateway and DNS — on Windows, free.

No cache to poison, no forged replies to maintain. Your device is simply told the wrong gateway.
/ WHY IT MATTERS

Middleman without the ARP

When your device joins a network it broadcasts “who gives out addresses here?” A rogue DHCP server answers too, offering itself as your gateway and its own DNS. If its reply wins, you send all your traffic through the attacker — a cleaner route than ARP spoofing, with nothing to keep poisoning.

your device broadcasts: “who gives out addresses here?”
REAL GATEWAY
192.168.1.1
router → 192.168.1.1
dns → 1.1.1.1
✓ known
UNEXPECTED SERVER
192.168.1.66
router → 192.168.1.66
dns → 10.0.0.9
⚑ ROGUE_DHCP
ROGUE DHCPone broadcast, two answers — a second server volunteers as your gateway
/ WHAT SHIPPED

A passive, rate-limited watch

The detector passively watches the OFFER and ACK messages DHCP servers send, and knows which server is your legitimate gateway. A reply from any other server IP or MAC, pushing a different gateway or DNS, is flagged as a rogue DHCP server. The watch adds no traffic of its own, is rate-limited per server so a chatty misconfigured box doesn’t flood you, and steps aside cleanly where the capture driver isn’t available.

·OFFER192.168.1.1gw 192.168.1.1 · dns 1.1.1.1
·ACK192.168.1.1lease granted
OFFER192.168.1.66gw 192.168.1.66 · dns 10.0.0.9
A reply from any server other than your real gateway — handing out a different gateway or DNS — is flagged as a rogue DHCP server.
PASSIVE DHCP WATCHevery OFFER and ACK checked against the one legitimate server — a stranger stands out
/ AND WHEN YOU’RE PROTECTED

Ciphertext is all it forwards

Even when the attacker’s server has made itself your gateway and DNS, routing your traffic through the encrypted tunnel means all it gets to forward is ciphertext it can’t read or redirect.

ATTACKER GATEWAYrogue DHCP · its own DNSsees only ciphertextYOUyour deviceNETreal internetENCRYPTED TUNNEL — END TO END
SEALED PATHthe attacker made itself your gateway and DNS — so all it gets to forward is ciphertext it can’t read
/ THE PRICE

Detection is free

Rogue DHCP detection ships in the free version and always will. Seeing that the network’s own plumbing has been compromised — and which server did it — is exactly the kind of visibility that shouldn’t be paywalled.

FREE FOREVERRogue DHCP detection is free, for Windows.

Read more: how rogue DHCP works · how to detect it yourself · the MITM coverage post

Watch who volunteers to be your gateway.
Detection is free.