Rouge DHCP server on network

On our network, we use DHCP. DHCP is given out by our Sonicwall NSA 240 device.
We have a domain network, with our own DNS server, etc..

I don't know why, but on my network, the workstations are picking up a different DNS other than the one our Sonicwall is giving out. Which is causing havoc. Active Directory no longer works correctly, If my DC is offline, nobody can go on the internet, etc...

The DNS IP that its picking up is of this ADP server. I called their tech support and they weren't  very helpful. They said the DHCP on the machine is turned off.. No scopes defined, etc.. I have no control over how this server operates, so I think I am SOL.. They added my DNS as a forwarder to their machine, but it still causes problems if the ADP server is doing maintenance.

Its weird because it doesn't happen all the time, when you do an ipconfig /renew, the workstations will get the correct DNS from the sonicwall. Its when it does an auto-renew or something that it will pick up the DNS IP from the ADP server.

I guess an option would be to move this server to an entire different subnet..
Is there some workaround from a network perspective? Is there something I can do to my switch to fix this issue? My switches are Cisco.
LVL 6
theonlyallanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HodepineCommented:
Cisco switches support DHCP snooping for this.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/dhcp.pdf

Basically, you turn it on and define which port your trusted DHCP server is on, and that's the only port where you can get DHCP information from.

0
digitapCommented:
The Cisco solution sounds easy to implement.  You could create a new subnet as you indicated and put that subnet on a spare interface on the NSA.  Put the ADP server on that interface.
0
theonlyallanAuthor Commented:
Unfortunately my cisco switch doesn't support dhcp snooping. They are the c2950 & c3524 series. I'll have to buy new switches.
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Brain2000Commented:
If you go with the DHCP snoop route, as Hodepine suggests, you can enable that and trust the port that hooks back to your DHCP server via the following (let's assume it is plugged into port 1):

ip dhcp snooping
fastethernet 1/0
  ip dhcp snooping trust


You could also completely block DHCP from the port that is hooked to the switch.  For example, if it were plugged into the 24th port on the switch:

ip access-list extended NODHCP
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit any any

fastethernet 24/0
  ip access-group NODHCP in
0
Brain2000Commented:
If your switch doesn't support DHCP snooping, try the access list block.
0
theonlyallanAuthor Commented:
@Brian2000:
do you know if my switch supports access list block?
0
Brain2000Commented:
Yes, it should.  Give it a try and see what you get.  You may have to play with the port number though to get the right format.  i.e.

interface fastethernet 24/0

or

interface fastethernet 0/24

I can't remember how they have this set up.  And remember, the computer you're blocking is probably not on port 24 on the switch, so you'll have to pick the right port or it won't work.
0
HodepineCommented:
Both 2950 and 3524 should support DHCP snooping with the right software. You won't have to buy new switches, but you may have to upgrade them.

The configuration is the same on all IOS based platforms, so that's why I just picked one. Don't worry about the documentation being for the 4500.
0
Cas KristCommented:
Are you sure the ADP-server is doing DHCP-server? You can see this with ipconfig /all , this should show the DHCP-server. If it is the ADP-server then you have evidence when contacting their tech support.
0
theonlyallanAuthor Commented:
@Brian2000

I can create the list on the Cisco C2950. But I can't assign it to the interface, gives error message.
Switch is running standard image. I guess it doesn't support access list to the interface.. Only to Management vlan1.. quite usless..

And on the C3548-XL-EN switch, it gives invalid.. that command doesn't work for this switch..

0
digitapCommented:
If you're running into dead ends with a Cisco solution, check out my comment above.
0
Brain2000Commented:
If we can only apply it to VLAN1, this should work.  This example will assume your DHCP server is 192.168.0.10.  Hopefully I didn't mix up bootps and bootpc....

By the way, this will block DHCP coming from anywhere except 192.168.0.10.

ip access-list extended NODHCP
  permit udp host 192.168.0.10 any eq bootpc
  permit udp any host 192.168.0.10 eq bootps
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit any any
!
interface vlan1
  ip access-group NODHCP in
!
0
theonlyallanAuthor Commented:
Permit any any isn't a valid command on my switch.

Am I missing a command in front of it?
0
Brain2000Commented:
Sorry, I had a typo:

ip access-list extended NODHCP
  permit udp host 192.168.0.10 any eq bootpc
  permit udp any host 192.168.0.10 eq bootps
  deny udp any any eq bootps
  deny udp any eq bootps any
  permit ip any any
!
interface vlan1
  ip access-group NODHCP in
!


If that still doesn't work, you can try it old style:

access-list 101 permit udp host 192.168.0.10 any eq bootpc
access-list 101 permit udp any host 192.168.0.10 eq bootps
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any eq bootps any
access-list 101 permit ip any any
!
interface vlan1
  ip access-group 101 in
!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
theonlyallanAuthor Commented:
Hi @Brian

The acess-list seems to be working. I'm going to wait a few more days and update...
Is this access-list for individual switch only or does it replicate itself onto the other switches like VLAN domains. ?
0
Brain2000Commented:
It's only for this switch.  So if you ever move the ADP server to another switch/port you'll want to configure that switch instead.
0
theonlyallanAuthor Commented:
It works! Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.