[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan

[Rune Kock]

On Thu, Aug 21, 2008 at 16:03, Simon Kelley <simon at thekelleys.org.uk> wrote:
> Rune Kock wrote:
>> I know this is a bit off topic, but maybe someone on the list has some
>> thoughts on this:
>>
>> I'm running a router for a group of people connected by lan.  And I
>> use a dhcp-server (dnsmasq) on the router to configure the clients.
>>
>> But increasingly often, someone has connected another router to the
>> lan, usually to use it as a wifi access point.  And since they don't
>> know what they are doing, they connect their own router's lan-port to
>> the big lan instead of using the wan-port.  And so we get a wrong
>> dhcp-server competing with dnsmasq.
>>
>> Every time this happens, I have to track down the rogue router by
>> testing each cable of the lan.  Quite time consuming, and until I get
>> it done, the network is very unstable for the users.
>>
>> Does anyone have some ideas as how to mitigate this problem?
>
> Talking to the network guys of my aquaintance, it's not an easy problem
> to fix unless you have enterprise-grade networking kit.

How would enterprise-grade equipment help?

> You could try something which broadcasts a DHCPDISCOVER packet, that
> should give you replies from every DHCP server on the net, with their IP
> addresses.

Yes, that would at least alert me immediately when the thing happens.
Know any program that can do that, or would I have to write one from
scratch?

Anyway, thanks for your input.  I never expected any easy solution for
this.  My own thoughts have been:

- drop DHCP, and configure all clients statically.  Not fun.

- use some kind of software-firewall or access program (PPPoE?) on the
clients.  Definitely not fun.

- split the lan into small segments.  Doable, but will only confine
the problem to one segment, not remove it.

In the end, perhaps the only way is to shout DON'T DO THAT to the
users, and hope they listen...


Rune