First of all, having a knowledge of the DHCP lease table probably won't give you better information than using nmap to do host discovery from time to time. DHCP lease table won't get updated unless 1) a lease expires; 2) a new lease is requested; or 3) the server discovers a leased host that is unresponsive. Among these scenarios, scenario #3 is the most useful in monitoring DHCP client devices, which is essentially host discovery. You can use nmap to do host discovery more frequently and monitor not only the DHCP clients but also the entire address space of your subnet.

Monitoring the live hosts on your network may be step 1, if you want more security, I would suggest you to look into port mirroring and deep packet inspection.

To actually answer your question, the procedure to setup a customized DHCP server is very simple, but not so the principle behind it. The procedure is really just disable the DHCP server in Verizon router and operate another DHCP server on Pi. I will get into the technical details too if you are interested.

DHCP starts with discovery, which is a layer 2 broadcast frame sent from the DHCP client. This broadcast frame will be forwarded to all ports on a switch and every associations of an access point. This results in every device on the link will receive this broadcast discovery. The host which is also acting as a DHCP server will pick up the frame and respond to it and complete the subsequent DHCP transactions. So no need to specify the location of DHCP server anywhere besides simply let it be on the link.

Hello Cang,

Thank you for your answer! But unfortunately your solution would be too noisy in my home environment since I have Suricata IDS running on my subnets. Running a host discovery scan would generate many alarms, and I want to keep the false positives to a minimum since all the alarms go to an internal ELK dashboard that I implemented some weeks ago.

Also, I know how DHCP works, lol. I work with pentesting and red teaming, so I have to. I have been using the Kea DHCP server in my virtual lab, and it works perfectly for passive reconnaissance. Whenever I add a new VM into my lab, a new entry is added to the Kea’s PostgreSQL database, and I have a Python script that captures that immediately using SQL hooks. This doesn’t cause any noise in my network. That’s why I want to use it in my WiFi subnets.

I asked that question because I don’t know if the Fios router implements port security. If it does, simply disabling the DHCP service from the router and implementing my own wouldn’t work since the DHCP Offer messages would be filtered (so as to avoid having rogue DHCP servers in the network).

One last note… Your approach wouldn’t work quite well if some of the hosts in the network block incoming packets (TCP, UDP, ICMP, etc). The discovery scans use one of these protocols. If I block incoming packets (using iptables or nftables on Linux, for example), your scan wouldn’t detect my host. I do that all the time when red teaming. I also like to block incoming traffic even to ports in listening state when I’m doing CTFs, allowing incoming connections only after a port knocking process (SPA) is done. Better be safe than sorry. lol

Anyway, I will implement a Kea DHCP server in my physical network and see how it goes.

Thanks for the chat!