Rouge DHCP server on network

On our network, we use DHCP. DHCP is given out by our Sonicwall NSA 240 device.
We have a domain network, with our own DNS server, etc..

I don't know why, but on my network, the workstations are picking up a different DNS other than the one our Sonicwall is giving out. Which is causing havoc. Active Directory no longer works correctly, If my DC is offline, nobody can go on the internet, etc...

The DNS IP that its picking up is of this ADP server. I called their tech support and they weren't  very helpful. They said the DHCP on the machine is turned off.. No scopes defined, etc.. I have no control over how this server operates, so I think I am SOL.. They added my DNS as a forwarder to their machine, but it still causes problems if the ADP server is doing maintenance.

Its weird because it doesn't happen all the time, when you do an ipconfig /renew, the workstations will get the correct DNS from the sonicwall. Its when it does an auto-renew or something that it will pick up the DNS IP from the ADP server.

I guess an option would be to move this server to an entire different subnet..
Is there some workaround from a network perspective? Is there something I can do to my switch to fix this issue? My switches are Cisco.
LVL 6
theonlyallanAsked:
Who is Participating?
 
Brain2000Commented:
Sorry, I had a typo:

ip access-list extended NODHCP
  permit udp host 192.168.0.10 any eq bootpc
  permit udp any host 192.168.0.10 eq bootps
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit ip any any
!
interface vlan1
  ip access-group NODHCP in
!


If that still doesn't work, you can try it old style:

access-list 101 permit udp host 192.168.0.10 any eq bootpc
access-list 101 permit udp any host 192.168.0.10 eq bootps
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any eq bootps any
access-list 101 permit ip any any
!
interface vlan1
  ip access-group 101 in
!
0
 
HodepineCommented:
Cisco switches support DHCP snooping for this.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dhcp.pdf

Basically, you turn it on and define which port your trusted DHCP server is on, and that's the only port where you can get DHCP information from.

0
 
digitapCommented:
The Cisco solution sounds easy to implement.  You could create a new subnet as you indicated and put that subnet on a spare interface on the NSA.  Put the ADP server on that interface.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
theonlyallanAuthor Commented:
Unfortunately my cisco switch doesn't support dhcp snooping. They are the c2950 & c3524 series. I'll have to buy new switches.
0
 
Brain2000Commented:
If you go with the DHCP snoop route, as Hodepine suggests, you can enable that and trust the port that hooks back to your DHCP server via the following (let's assume it is plugged into port 1):

ip dhcp snooping
fastethernet 1/0
  ip dhcp snooping trust


You could also completely block DHCP from the port that is hooked to the switch.  For example, if it were plugged into the 24th port on the switch:

ip access-list extended NODHCP
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit any any

fastethernet 24/0
  ip access-group NODHCP in
0
 
Brain2000Commented:
If your switch doesn't support DHCP snooping, try the access list block.
0
 
theonlyallanAuthor Commented:
@Brian2000:
do you know if my switch supports access list block?
0
 
Brain2000Commented:
Yes, it should.  Give it a try and see what you get.  You may have to play with the port number though to get the right format.  i.e.

interface fastethernet 24/0

or

interface fastethernet 0/24

I can't remember how they have this set up.  And remember, the computer you're blocking is probably not on port 24 on the switch, so you'll have to pick the right port or it won't work.
0
 
HodepineCommented:
Both 2950 and 3524 should support DHCP snooping with the right software. You won't have to buy new switches, but you may have to upgrade them.

The configuration is the same on all IOS based platforms, so that's why I just picked one. Don't worry about the documentation being for the 4500.
0
 
Cas KristCommented:
Are you sure the ADP-server is doing DHCP-server? You can see this with ipconfig /all , this should show the DHCP-server. If it is the ADP-server then you have evidence when contacting their tech support.
0
 
theonlyallanAuthor Commented:
@Brian2000

I can create the list on the Cisco C2950. But I can't assign it to the interface, gives error message.
Switch is running standard image. I guess it doesn't support access list to the interface.. Only to Management vlan1.. quite usless..

And on the C3548-XL-EN switch, it gives invalid.. that command doesn't work for this switch..

0
 
digitapCommented:
If you're running into dead ends with a Cisco solution, check out my comment above.
0
 
Brain2000Commented:
If we can only apply it to VLAN1, this should work.  This example will assume your DHCP server is 192.168.0.10.  Hopefully I didn't mix up bootps and bootpc....

By the way, this will block DHCP coming from anywhere except 192.168.0.10.

ip access-list extended NODHCP
  permit udp host 192.168.0.10 any eq bootpc
  permit udp any host 192.168.0.10 eq bootps
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit any any
!
interface vlan1
  ip access-group NODHCP in
!
0
 
theonlyallanAuthor Commented:
Permit any any isn't a valid command on my switch.

Am I missing a command in front of it?
0
 
theonlyallanAuthor Commented:
Hi @Brian

The acess-list seems to be working. I'm going to wait a few more days and update...
Is this access-list for individual switch only or does it replicate itself onto the other switches like VLAN domains. ?
0
 
Brain2000Commented:
It's only for this switch.  So if you ever move the ADP server to another switch/port you'll want to configure that switch instead.
0
 
theonlyallanAuthor Commented:
It works! Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.