/ GUIDE — NETWORK SECURITY

How do you detect a rogue DHCP server?

A second server can volunteer to be your gateway the moment you connect — no ARP spoofing required. Here’s how to see it answering.

You detect a rogue DHCP server by catching two servers answering where there should be one. When your device joins a network it asks “who gives out addresses here?” — and a rogue server answers too, offering itself as your gateway and its own DNS. On Windows, ipconfig /all shows the DHCP Server you accepted; if it isn’t your real router, your traffic may be going the wrong way from the very first packet.

A second server just volunteered to be your way onto the internet.
your device broadcasts: “who gives out addresses here?”
REAL GATEWAY
192.168.1.1
router → 192.168.1.1
dns → 1.1.1.1
✓ known
UNEXPECTED SERVER
192.168.1.66
router → 192.168.1.66
dns → 10.0.0.9
⚑ ROGUE_DHCP
ROGUE DHCPone broadcast, two answers — a second server volunteers as your gateway
/ THE SIGNS

What a rogue DHCP server looks like

A rogue DHCP server is a cleaner path to becoming the middleman than ARP spoofing: no cache to poison, no forged replies to maintain — your device is simply told the wrong gateway from the moment it connects. The signs:

  • A DHCP Server that isn’t your router in ipconfig /all.
  • An unexpected default gateway or DNS you didn’t configure.
  • Intermittent “wrong network” behavior as your device races between two servers’ offers.
  • Every DNS lookup suddenly suspect — the rogue server’s DNS answers them all.
/ DETECTION

Watch the DHCP replies

The dependable method doesn’t add traffic of its own — it passively watches the DHCP OFFER and ACK messages already on the network and knows which server is your legitimate gateway. A reply from any other server IP or MAC, pushing a different gateway or DNS, is a rogue DHCP server.

·OFFER192.168.1.1gw 192.168.1.1 · dns 1.1.1.1
·ACK192.168.1.1lease granted
OFFER192.168.1.66gw 192.168.1.66 · dns 10.0.0.9
A reply from any server other than your real gateway — handing out a different gateway or DNS — is flagged as a rogue DHCP server.
PASSIVE DHCP WATCHevery OFFER and ACK checked against the one legitimate server — a stranger stands out

A good watch is rate-limited per server, so a misbehaving server that chatters doesn’t flood you, and it steps aside cleanly where the packet-capture driver isn’t available rather than guessing.

/ STAYING PROTECTED

Seal the path you can’t trust

Seeing a rogue DHCP server is the tell that the network’s own plumbing is compromised — the point to stop trusting it. Even when the attacker’s server has made itself your gateway and DNS, routing your traffic through an encrypted tunnel means all it gets to forward is ciphertext it can’t read or redirect.

ATTACKER GATEWAYrogue DHCP · its own DNSsees only ciphertextYOUyour deviceNETreal internetENCRYPTED TUNNEL — END TO END
SEALED PATHthe attacker made itself your gateway and DNS — so all it gets to forward is ciphertext it can’t read
/ THE TOOL

Catching it automatically

WifiThreatWatch passively watches DHCP OFFER/ACK replies and flags any server other than your real gateway handing out its own gateway or DNS — reporting which server made the offer and what it tried to give you, so you can tell a misconfiguration from an attack. Detection is free.

FREE FOREVERRogue DHCP detection is free, for Windows.

Go deeper: how we detect rogue DHCP · detecting ARP spoofing · the threats library

/ FAQ

Rogue DHCP: quick answers

How do I detect a rogue DHCP server?

Look for two servers answering DHCP on one network. On Windows, “ipconfig /all” shows your current DHCP Server and Default Gateway — if the DHCP Server isn’t your real router, that’s a red flag. The reliable method is a passive watch of DHCP OFFER/ACK replies: any reply from a server other than your legitimate gateway, handing out its own gateway or DNS, is a rogue DHCP server.

What is a rogue DHCP server?

A rogue DHCP server is a second, unauthorized machine on your network that answers the “who gives out addresses here?” broadcast your device sends when it joins — handing out itself as your gateway and its own DNS. If its reply wins, your device sends all its traffic through the attacker and resolves names with the attacker’s DNS, without any ARP spoofing required.

How is a rogue DHCP server different from ARP spoofing?

Both make the attacker your middleman, but by different means. ARP spoofing poisons your device’s IP-to-MAC mapping after you’re connected and must keep the lie fresh. A rogue DHCP server tells your device the wrong gateway and DNS from the moment it connects — no cache poisoning, no forged replies to maintain. It’s a cleaner path to the same interception.

Can a rogue DHCP server be accidental?

Yes. A misconfigured router, an old travel router, or a device with DHCP left on can hand out addresses by mistake, causing connectivity chaos rather than an attack. That’s why detection reports which server made the offer and what it handed out — so you can tell a misconfiguration from something hostile, instead of just seeing “the internet is broken.”

One broadcast, two answers.
See the one that shouldn’t be there.