Networking and Protocols

DHCP

Automatic network configuration protocol that hands out IP settings as leases.

Where you will see it: Shows up in packet captures, network diagrams, firewall rules, and system or network logs.

What it is

DHCP (Dynamic Host Configuration Protocol) is a client server protocol that configures hosts on an IP network. Instead of manually setting an address on every device, a DHCP server manages a pool of addresses and options and hands them out as time bound leases.

Key points
  • Uses a discover offer request acknowledge flow to assign addresses.
  • Leases expire and must be renewed, which is why addresses can change over time.
  • Relay agents allow DHCP to work across subnets without extending broadcasts.

How it works in broad strokes

  1. A new client that has no IP address broadcasts a DHCP Discover message on the local network.
  2. One or more servers respond with a DHCP Offer containing a proposed address and configuration options.
  3. The client broadcasts a DHCP Request selecting one offer and requesting that address.
  4. The server replies with a DHCP Acknowledge, and the client configures its interface and starts the lease timer.
  5. Before the lease expires, the client attempts renewal, usually with unicast messages to the original server.
  6. If the client moves to a new network or cannot renew, it repeats discovery and may receive a different address.
  7. If the server is on a different subnet, a relay agent forwards the broadcast messages to the server and relays replies back.

Concrete example

You join a cafe WiFi. Your laptop broadcasts Discover, receives an Offer with an address and DNS, requests it, then gets an Ack. Seconds later you can browse the web, even though you never touched an IP setting.

Why it matters

Manual addressing is slow and error prone. DHCP ensures devices come online quickly, reduces conflicts, and centralizes control over settings like gateways, DNS, and domain search paths.

Security angle

  • Rogue DHCP is a classic attack. Features like DHCP snooping can block server replies on untrusted ports.
  • DHCP options can redirect traffic by changing default gateways or DNS servers, so treat DHCP as security sensitive.
  • Logs from the DHCP server are often the best source for answering who had which IP at a given time.

Common pitfalls

  • Assuming DHCP problems are always the server. Switch port security, VLAN issues, and relays are common causes.
  • Overlapping scopes or misconfigured pools can create address conflicts.
  • Ignoring lease times. Short leases can cause unnecessary churn; long leases slow down cleanup.
  • Forgetting that DHCP is usually unauthenticated. A rogue server can hand out bad gateways and DNS.
  • Troubleshooting without checking which VLAN the client is actually in.

DEEP DIVE

Bootstrapping: getting configuration from nothing

A new device often starts with only a MAC address and no IP. DHCP exists to solve that chicken and egg problem. The client broadcasts a DHCPDISCOVER because it does not yet know which server to talk to. Servers on the local network respond with DHCPOFFER messages proposing an address lease and options such as subnet mask, default gateway, and DNS servers.

The client chooses one offer and broadcasts a DHCPREQUEST to say which offer it is accepting. The chosen server replies with DHCPACK, and only then does the client configure the interface with the leased IP and options. This four message exchange is often summarized as Discover, Offer, Request, Acknowledge.

In a capture, the broadcast nature explains the first steps. Early messages must reach every potential server, and early replies must reach a client that still cannot reliably receive unicast traffic. Once configured, later renewals often switch to unicast because both sides now know each other's addresses.

Leases: the network grants, you borrow

DHCP gives an address for a time period called a lease. The lease concept lets networks reuse addresses efficiently and recover from devices that disappear without saying goodbye. The client stores the lease metadata and starts renewal before the lease expires.

Renewal usually begins with a unicast DHCPREQUEST to the original server at a timer often called T1. If that fails, the client enters a rebinding phase at T2, where it broadcasts to any DHCP server that can extend the lease. If renewal succeeds, the server sends DHCPACK and the lease timers reset.

If renewal never succeeds and the lease expires, the client should stop using the address and start over. That is why misconfigured DHCP can cause periodic outages that look like random drops: the device works until renewal, then loses its lease and has to renegotiate.

Crossing subnets: relays and helpers

Broadcasts do not cross routers, but organizations still want centralized DHCP. The fix is a DHCP relay agent, sometimes called a helper. The relay listens for client broadcasts on a subnet, then forwards them as unicast to a DHCP server on another network, carrying information about the original subnet.

From the client perspective, nothing changes. It still broadcasts. From the server perspective, it sees requests coming from the relay and chooses an address pool based on the relay information. This is how DHCP works across VLANs in real enterprises.

If devices on one VLAN never get an address, a broken or missing relay is a prime suspect. Another common issue is the server having no scope for that subnet, so it receives the forwarded request but cannot offer a valid address.

Practical troubleshooting patterns

If you see duplicate IP conflicts, check for rogue DHCP servers or for a mixture of DHCP and static addressing in the same pool. A simple home router misconfigured as an extra DHCP server can create chaotic behavior that looks like random connectivity issues.

If a client gets an address but cannot reach anything, the options are often wrong rather than the address itself. A wrong default gateway or wrong DNS server can make the device look offline even though the lease succeeded.

If renewals fail only on some networks, look for firewall rules that block UDP ports 67 and 68, or for relays that are not configured on all relevant interfaces. DHCP is simple, but it is sensitive to small policy mistakes because the client depends on it at boot.