I am investigating some odd behaviour on a sub-net, where host registration doesn’t list some of the IPs that some users report having. Now that I’ve seen evince, i want to passively scan for the presence of a rouge DHCP server, not listed in my domain.
How might I do that?
Or rather, are there any Linux tools to list the DCHP servers within a domain?
(I might write a script to search randomly, as I suspect the rouge DHCP server is not on all the time, or perhaps not acting as a DHCP server all the time.)
Best Answer
One thing that seems to be rarely suggested is inspecting at one of the clients that has a bad address and looking at where it came from. For example, on a Windows client "ipconfig /all" will tell you immediately what the rogue server address was.
For long term monitoring, the check_dhcp plugin for Nagios can be set to warn if you have too many responses, or an unexpected response.
As TomTom says, most enterprisey switches can be hardened to defend against various things including rogue DHCP servers.