Preventing Multiple DHCP servers/Vlans

[platypus]

Is there a way to prevent a router being plugged into a network taking over the dhcp/routing without using vlans or something heavier like 802.1x/domain isolation? We've got some procurve switches which support dhcp-snooping which looks like a nice solution, but it relies on vlans.

 

[Deception]

If you're using a windows domain environment, you can authorize certain DHCP servers. So, if a server isn't authorized, it shouldn't be able to flood your network.

Articles:
http://technet.microsoft.com/en-us/library/cc958931.aspx
http://technet.microsoft.com/en-us/library/cc753329(WS.10).aspx

Never used it myself, but worth a shot.

 

[platypus]

Sounds...perfect. We have a regular problem that people plug in routers, for testing purposes, to the "house" network, despite it being company policy not to do so (we have lots of little test rooms with isolated networks) . Everyone loses internet connection for a while until its detected and unplugged. I'm presuming its because the rogue router takes over dhcp/dns/routing temporarily?

Can you also do the same to authorise DNS?

 

[Deception]

Sounds...perfect. We have a regular problem that people plug in routers, for testing purposes, to the "house" network, despite it being company policy not to do so (we have lots of little test rooms with isolated networks) . Everyone loses internet connection for a while until its detected and unplugged. I'm presuming its because the rogue router takes over dhcp/dns/routing temporarily?

Can you also do the same to authorise DNS?

Could also be that it has the same gateway as the default one used too. So switches dont know which way to send the data for the internet. I dont know about the Authorize DNS server, but I will see what I can find.

 

[platypus]

The gateway is different. Will have a hunt around too, thanks .

Just to check as well, the article is for Win2000, I'm assuming its applicable to 2003/2008 as well?

 

[Deception]

The gateway is different. Will have a hunt around too, thanks .

Just to check as well, the article is for Win2000, I'm assuming its applicable to 2003/2008 as well?

The 2nd link has instructions on how to do it on windows 2008.

 

[GhostlyPea]

You can also implement DHCP snooping n your switches if that's your thing

- GP

 

[Deception]

We've got some procurve switches which support dhcp-snooping which looks like a nice solution, but it relies on vlans.

You can also implement DHCP snooping n your switches if that's your thing

- GP

 

[platypus]

^. Yeah that would be a nice solution but I'm trying to find other (simpler) solutions.

 

[#Chri5#]

Is it possible to do it via Windows AD?

I've just looked at the second link and that is what I've done when adding a new DHCP server (if you don't authorise the server, then it won't handle DHCP requests IIRC).

If you plug in a bog-standard router which is enabled as a DHCP server, how can a Windows DC stop it (the router) from responding to DHCP discovery broadcasts? A client can get multiple DHCP offers but then only accepts one which could be from the router.

 

[GhostlyPea]

D'oh >.<

- GP

 

[Deception]

Is it possible to do it via Windows AD?

I've just looked at the second link and that is what I've done when adding a new DHCP server (if you don't authorise the server, then it won't handle DHCP requests IIRC).

If you plug in a bog-standard router which is enabled as a DHCP server, how can a Windows DC stop it (the router) from responding to DHCP discovery broadcasts? A client can get multiple DHCP offers but then only accepts one which could be from the router.

Might be something they added to the DHCP responses that make the Domain DHCP requests more priority. I dont know for sure, would have to look in to it in more details.

 

[#Chri5#]

Technet for Server 2003 / 2003 R2.

When started, each DHCP client broadcasts a DHCP discover message (DHCPDISCOVER) to its local subnet to attempt to find a DHCP server. Because DHCP clients use broadcasts during their initial startup, you cannot predict which server will respond to the DHCP discover request of a client if more than one DHCP server is active on the same subnet.

For example, if two DHCP servers service the same subnet and its clients, clients can be leased at either server. Actual leases distributed to clients can depend on which server responds first to any given client. Later, the server first selected by the client to obtain its lease might be unavailable when the client attempts to renew.

 

[platypus]

Is it possible to do it via Windows AD?

I've just looked at the second link and that is what I've done when adding a new DHCP server (if you don't authorise the server, then it won't handle DHCP requests IIRC).

If you plug in a bog-standard router which is enabled as a DHCP server, how can a Windows DC stop it (the router) from responding to DHCP discovery broadcasts? A client can get multiple DHCP offers but then only accepts one which could be from the router.

The unauthorised dhcp server sends a DHCPInform request which gets rejected because its not on the authorised list. At least thats the case with 2000, probably the same albeit improved with 2003/2008.

 

[Deception]

Technet for Server 2003 / 2003 R2.

The guide for DHCP rogues that I posted were aimed at server 2008, not 2003 (Check date of your article, it was released before server 2008). Like I said, I dont know how it works - I basically found the articles when doing a search.

Can I ask, how are the routers 'tested'. As you may just be able to assign one switch to a VLAN that is used for testing and have them plug test equipment in there.

 

[#Chri5#]

The guide for DHCP rogues that I posted were aimed at server 2008, not 2003 (Check date of your article, it was released before server 2008). Like I said, I dont know how it works - I basically found the articles when doing a search.

I know the article referenced 2003, not 2008 - that's why I said "Technet for Server 2003 / 2003 R2." It would be great if this was solution - I've had this problem in the past myself.

Having done a bit more Googling... TechNet Rogue DHCP Servers (2008 R2)

For a DHCP server that is not a member of the Active Directory domain, the DHCP Server service sends a broadcast DHCPInform message to request information about the root Active Directory domain in which other DHCP servers are installed and configured. Other DHCP servers on the network respond with a DHCPAck message, which contains information that the querying DHCP server uses to locate the Active Directory root domain. The starting DHCP server then queries Active Directory for a list of authorized DHCP servers and starts the DHCP Server service only if its own address is in the list.

Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients.

My question is does the DHCP server in a cheap as chips home router (eg a £15 TP-Link router) send out DHCPInform and shut down if an authorised 2008 R2 server responses?

 

[platypus]

The guide for DHCP rogues that I posted were aimed at server 2008, not 2003 (Check date of your article, it was released before server 2008). Like I said, I dont know how it works - I basically found the articles when doing a search.

Can I ask, how are the routers 'tested'. As you may just be able to assign one switch to a VLAN that is used for testing and have them plug test equipment in there.

The usual test is to plug 'em in, load a config file, test some remote commands, send strings to them that make them perform commands, try and break them etc, so they ideally need to be on the same network as people's computers.

My question is does the DHCP server in a cheap as chips home router (eg a £15 TP-Link router) send out DHCPInform and shut down if an authorised 2008 R2 server responses?

Ah, sorry I'm not entirely sure about that.

 

[Deception]

The usual test is to plug 'em in, load a config file, test some remote commands, send strings to them that make them perform commands, try and break them etc, so they ideally need to be on the same network as people's computers.

Pity you dont have a dedicated switch for this, get everyone to plug their PC and the routers in for testing, so they separated from rest of LAN, but can still do the remote commands etc.

 

[Saundie]

My question is does the DHCP server in a cheap as chips home router (eg a £15 TP-Link router) send out DHCPInform and shut down if an authorised 2008 R2 server responses?

In my experience, no. None of the Draytek routers used by my company's customers seems to be able to do this, and none of the consumer (i.e d-link, belkin, linksys, netgear etc) routers I've used at home will either. Microsoft DHCP, however, will do this, which has resulted in problems for some of our customers when they get a new router and one of our techs forgets to disable it's DHCP server - MS DHCP detects the router's DHCP server and shuts itself down.

As for DNS, your clients will get the DNS server information from the DHCP server they receive their IP addressing from. You could configure DNS forwarding for your domain's zone on the router to get around this. In your instance, where you have no control over the routers being connected to your network, this isn't an option for you.

My suggestion is to hunt down the people who keep connecting these routers and beat them with their router until either of them break

 

[LizardKing]

My question is does the DHCP server in a cheap as chips home router (eg a £15 TP-Link router) send out DHCPInform and shut down if an authorised 2008 R2 server responses?

Not likely
I think your biggest issue is not the DHCP but the rogue routers using the same IP address as your gateway.
Personally id change your gateway address to something outside the usually used address's and use long dhcp lease times.

Or get some good switches that allow you to set-up lists of authorised devices.