Accessibility Resource Center Skip to main content
Get up to $500 when you bring your phone. Plus, waived smartphone activation fee when you buy online. Limited time offer.
end of navigation menu

Dedicated DHCP Server

SOLVED
Reply
InfoSecDude
Contributor
Contributor
Posts: 2
Registered: ‎01-07-2022

Dedicated DHCP Server

Message 1 of 4
(841 Views)

Hello everyone,

 

I work with Security, so I'd like to have control over my home environment, especially my home network. One of my ideas is to set up a dedicated DHCP server using a Raspberry Pi so that I can monitor the DHCP leases in real time. I checked the Verizon Fios router, but it doesn't allow me to specify a dedicated DHCP server. I'd like to confirm that before trying other options. Does anyone know if I can have a dedicated DHCP server and still use my Fios router for the other network functions?

1 ACCEPTED SOLUTION

Accepted Solutions
Cang_Household
Gold Contributor VII Gold Contributor VII
Gold Contributor VII
Posts: 1,770
Registered: ‎09-06-2020

Re: Dedicated DHCP Server

Message 4 of 4
(750 Views)

@InfoSecDude wrote:

I asked that question because I don’t know if the Fios router implements port security. If it does, simply disabling the DHCP service from the router and implementing my own wouldn’t work since the DHCP Offer messages would be filtered (so as to avoid having rogue DHCP servers in the network).

 

One last note… Your approach wouldn’t work quite well if some of the hosts in the network block incoming packets (TCP, UDP, ICMP, etc). The discovery scans use one of these protocols. If I block incoming packets (using iptables or nftables on Linux, for example), your scan wouldn’t detect my host.


By port security, do you mean the built-in 4 port switch on the G3100 has port filtering ability? No. The firmware did not include this feature. They do strip away the 802.1q tag I believe.

 

Right, host discovery won't work if a client does not respond to TCP, UDP, or ICMP. A better approach would be use port mirroring to inspect network traffic.

View solution in original post

3 REPLIES 3
Cang_Household
Gold Contributor VII Gold Contributor VII
Gold Contributor VII
Posts: 1,770
Registered: ‎09-06-2020

Re: Dedicated DHCP Server

Message 2 of 4
(819 Views)

First of all, having a knowledge of the DHCP lease table probably won't give you better information than using nmap to do host discovery from time to time. DHCP lease table won't get updated unless 1) a lease expires; 2) a new lease is requested; or 3) the server discovers a leased host that is unresponsive. Among these scenarios, scenario #3 is the most useful in monitoring DHCP client devices, which is essentially host discovery. You can use nmap to do host discovery more frequently and monitor not only the DHCP clients but also the entire address space of your subnet.

 

Monitoring the live hosts on your network may be step 1, if you want more security, I would suggest you to look into port mirroring and deep packet inspection.

 

To actually answer your question, the procedure to setup a customized DHCP server is very simple, but not so the principle behind it. The procedure is really just disable the DHCP server in Verizon router and operate another DHCP server on Pi. I will get into the technical details too if you are interested.

 

DHCP starts with discovery, which is a layer 2 broadcast frame sent from the DHCP client. This broadcast frame will be forwarded to all ports on a switch and every associations of an access point. This results in every device on the link will receive this broadcast discovery. The host which is also acting as a DHCP server will pick up the frame and respond to it and complete the subsequent DHCP transactions. So no need to specify the location of DHCP server anywhere besides simply let it be on the link.

InfoSecDude
Contributor
Contributor
Posts: 2
Registered: ‎01-07-2022

Re: Dedicated DHCP Server

Message 3 of 4
(814 Views)

Hello Cang,

 

Thank you for your answer! But unfortunately your solution would be too noisy in my home environment since I have Suricata IDS running on my subnets. Running a host discovery scan would generate many alarms, and I want to keep the false positives to a minimum since all the alarms go to an internal ELK dashboard that I implemented some weeks ago.

 

Also, I know how DHCP works, lol. I work with pentesting and red teaming, so I have to. I have been using the Kea DHCP server in my virtual lab, and it works perfectly for passive reconnaissance. Whenever I add a new VM into my lab, a new entry is added to the Kea’s PostgreSQL database, and I have a Python script that captures that immediately using SQL hooks. This doesn’t cause any noise in my network. That’s why I want to use it in my WiFi subnets.

 

I asked that question because I don’t know if the Fios router implements port security. If it does, simply disabling the DHCP service from the router and implementing my own wouldn’t work since the DHCP Offer messages would be filtered (so as to avoid having rogue DHCP servers in the network).

 

One last note… Your approach wouldn’t work quite well if some of the hosts in the network block incoming packets (TCP, UDP, ICMP, etc). The discovery scans use one of these protocols. If I block incoming packets (using iptables or nftables on Linux, for example), your scan wouldn’t detect my host. I do that all the time when red teaming. I also like to block incoming traffic even to ports in listening state when I’m doing CTFs, allowing incoming connections only after a port knocking process (SPA) is done. Better be safe than sorry. lol

 

Anyway, I will implement a Kea DHCP server in my physical network and see how it goes.

 

Thanks for the chat!

Cang_Household
Gold Contributor VII Gold Contributor VII
Gold Contributor VII
Posts: 1,770
Registered: ‎09-06-2020

Re: Dedicated DHCP Server

Message 4 of 4
(751 Views)

@InfoSecDude wrote:

I asked that question because I don’t know if the Fios router implements port security. If it does, simply disabling the DHCP service from the router and implementing my own wouldn’t work since the DHCP Offer messages would be filtered (so as to avoid having rogue DHCP servers in the network).

 

One last note… Your approach wouldn’t work quite well if some of the hosts in the network block incoming packets (TCP, UDP, ICMP, etc). The discovery scans use one of these protocols. If I block incoming packets (using iptables or nftables on Linux, for example), your scan wouldn’t detect my host.


By port security, do you mean the built-in 4 port switch on the G3100 has port filtering ability? No. The firmware did not include this feature. They do strip away the 802.1q tag I believe.

 

Right, host discovery won't work if a client does not respond to TCP, UDP, or ICMP. A better approach would be use port mirroring to inspect network traffic.

How-To Videos
 
The following videos were produced by users like you!
   
Videos are subject to the Verizon Fios Community Terms of Service and User Guidelines and contains content that is not created by Verizon.
Have a spare Fios-G1100?Learn how to bridge it into your network
Get Started


Covid19

Browse Categories
Categories:
Posts

Verizon Troubleshooters
Unable to find your answer here? Try searching Verizon Troubleshooters for more options.
Modal Dialogue Title