Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan

Fri Aug 22 22:54:34 BST 2008

On Fri, Aug 22, 2008 at 09:35, Paul Chambers <bod at bod.org> wrote:
> Sadly the Dell Powerconnect 2716 does not support SNMP at all. The so-called
> 'RMON' support is limited to aggregated statistics for the entire switch,
> and is only visible within the web interface, not through SNMP (I think it's
> very misleading on Dell's part to call that RMON, to be honest).
>
> So no joy with this particular model, sorry. It's possible that there are
> other mid-level switches which do support this info via SNMP, but I have no
> information to offer.

Thanks for taking the time to test it.  I'll start looking at
different switches and see if one turns up at a reasonable price.
Anyway, just knowing that this is an option is a great help.  It never
occurred to me to look for advanced switches to solve this.

> Another random idea: how about attempting to 'starve' a rogue DHCP server of
> addresses to hand out? i.e. monitor for another DHCP server, and if one
> appears, repeatedly request fresh DHCP addresses until it has no more to
> hand out? would the requests need to come from unique MAC addresses? does it
> help to pretend to be a bootp relay? This isn't an area I know a whole lot
> about, to be honest.

A very interesting idea.  I don't know how a DHCP-server reacts when
it runs out of IPs.  Whether it just becomes silent, or whether it
sends an error back.  The first case would be great, the latter might
cause the client to give up, and thus not solve anything.

If this idea works, it might be possible to hack an existing program
such as dhcp_probe to do this.

> It's a shame DHCP doesn't offer a mechanism to handle such situations more
> gracefully. I guess we could always extend dnsmasq to add one, in an attempt
> to establish a de facto standard :)

I wonder if IPv6 handles this any better.

If we were to extend the DHCP-standard, I would suggest a priority
field.  Routers would have a low priority until they are explicitly
configured with a higher one.  And the top priorities might require a
certificate signed by some CA.