Ports

Port 67: DHCP server

Server side of DHCP. Provides IP configuration to clients on a local network.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

UDP port 67 is the well known server port for DHCP. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. DHCP exists because a new machine often does not know its IP address, default gateway, or DNS settings yet.

A DHCP server listens on UDP 67 so clients can discover it without prior configuration. Because DHCP uses UDP and often broadcast, there is no connection setup like TCP.

A client typically uses UDP 68 and broadcasts a discover message. The server on 67 replies with an offer, the client requests the offered address, and the server acknowledges the lease along with options like router and DNS.

When you understand the port roles, you can read packet captures and see the real flow: client side traffic tied to 68, server side replies tied to 67. Security wise, rogue DHCP servers can hand out malicious gateways or DNS servers, so these ports are usually constrained to trusted network segments.

How it works in broad strokes

  1. A new client broadcasts a DHCPDISCOVER because it does not yet have an IP address.
  2. The server replies with a DHCPOFFER, then the client requests the offer and the server acknowledges with DHCPACK.
  3. The lease is renewed later using unicast where possible, or broadcast if needed.

Concrete example

You plug a laptop into a conference room port. It broadcasts for DHCP, gets an offer from the building DHCP server, and then configures IP, gateway, and DNS within seconds.

Why it matters

DHCP is a control point for network access. A rogue DHCP server can redirect clients to malicious DNS or gateways. Operationally, DHCP issues look like random connectivity failures, so understanding the flow helps you troubleshoot fast.

Security angle

  • Use DHCP snooping, trusted ports, or network access controls to prevent rogue servers.
  • Log lease assignments and alert on unexpected option changes.
  • Segment networks so guest devices cannot influence infrastructure services.

Common pitfalls

  • Rogue DHCP servers on the same segment handing out bad gateways or DNS servers.
  • Forgetting DHCP usually does not cross routers without a relay agent.
  • Leases that are too long or too short creating churn or address exhaustion.