How can I fiind a rouge DHCP server?

Are your switches Managed? Can you tie a MAC address to a Port?

Or if it's a windows network, and you have the MAC it is possible to remotely check the MAC address on each client remotely (using WMI and a bit of scripting).

Chris

Where is your DNS normally pointed to?  If your Server is controlling DNS I would have thought you could setup the perimeter firewall to block all access to DNS requests from all pc's except for the server.  All pc's that have been zombied would try to connect to the rogue DNS address but would be barred by the perimeter firewall, so it is immediately obvious which pc's are affected.

You can always use the ethereal to capture data packets and make analysis after.
You can also be sure that rogue DHCP are not operating in your network if you enable DHCP snooping in your switches.
Cisco supports the feature. It is possible that other vendors will also have dhcp snooping support

Dimitris

All switches expect for one building are managed cisco switches.  The only problem is there all out of date so in order to use dhcp snooping we would need to update all the switches we checked and our current version doesn't support it.

The dns addresses it uses were already blocked by our firewall so we know which ones are getting the bogus address the problem is finding the machine that is handing them out.

Hi

try using dhcploc.exe

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/DHCPandDNS/UsingtheDHCPLOCUtility.html

this will give you the Ip address of the server, NBTSTAT -A [IPADDRESS]

if you dont recognize the name do the following


On your switches  

check which port that MAC is on
via
show ip arp [ip-address]
or
show ip arp

Happy hunting