?
Solved

DHCP SERVER SOMEWHERE BUT CANNOT FIND

Posted on 2012-09-19
16
Medium Priority
?
667 Views
Last Modified: 2012-10-05
i have a utility called Rougcheck and it looks for Rouge DHCP server on a network.

However, our server has a 10.0.0.30 and the gateway is 10.0.0.1 and sends it out correctly.

but somewhere a device is sending out a 192.168.0.1 gateway and sometimes DNS . but the ip address is still a 10.0.0.X. after hoping we removed the wireless routers we have we cannot find what is putting out that address.

is there a simple utility that can help find it.

it is screwing up the entire DHCP scheme at random. sometimes release and renew fixes it.
Microsoft 2003 SBS with one network card.
0
Comment
Question by:russgarrett
  • 5
  • 4
  • 4
  • +2
16 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38415701
I did an article a while back regarding locating rogue DHCP servers.  It may be of some help:
http://blog.lan-tech.ca/2012/04/23/rogue-dhcp-servers/
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 38415724
If you have managed switches, this should be easy. Most managed switches have monitoring (and sometimes filtering) that can tell you which switch port(s) have DHCP traffic. If there is a rogue device, knowing which port, and where that port's wires go to in the building, can help you find the offending device.

If you have unmanaged switches, things get a bit more complicated. You can download a rogue DHCP checker tool from Microsoft here:

http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

I keep it on a USB key and can run it from a laptop. In such a case, I'd isolate each switch (if you have multiple switches and are using uplink ports) and plug the laptop into each switch and run the tool. You can at least narrow down which switch has the offending device.

Once you know the switch, you can then unplug the cable on each port, one at a time, and re-run the tool. When the offending DHCP server disappears, you have the port where the rogue device is, and you are back to where you'd be with a managed switch. From that point, it is a matter of following the physical cabling back to the problem device.

There is also the edge case where, if you offer wireless access to your users, someone has set up a DHCP server on a computer that is connected wirelessly. Your wireless access point *should* have an option to block or allow DHCP relays on the wireless side. Simply block DHCP traffic. Or, if you want to be more precise, you can look at the MAC address of the DHCP server and then match it to the device name that is registered on the access point(again, every wireless access point I've seen offers the ability to list all connected wireless devices with MAC addresses) ...and you can either identify the device or simply block it (MAC address filtering) and if the person wants wireless access, they'll identify themselves to you rather quickly. From there you can find out if the machine is infected or otherwise misconfigured and correct the problem before allowing it back on your wireless network.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38415772
One might think about splitting this up into two pieces:
- there is a DHCP server that's sending out the right IP addresses.
- the same DHCP server is sending out the wrong gateway address.
That would be very strange for a commodity router because they usually tie the DHCP range to their own IP address.  And, they usually use their own IP address as the gateway.  Often that can't be changed. At least that's the case if set in Gateway mode.  

It makes one wonder if a commodity router is being used as a switch (the WAN is disconnected) and the DHCP is turned on and the device is set up in Router mode and it can provide a different gateway address?
With this as an hypothesis, it might narrow down the search.

I would do this:
Set up a machine on the network with an address like: 192.168.0.233 / 255.255.255.0
Don't worry about the "copper" belonging to 10.0.0.0 .. it doesn't.
Ping the entire range from 192.168.0.1 to 192.168.0.254 using something like Ping Scanner Pro or Angry IP Scanner or Very Simple Network Scanner.
After you ping the range, you will see what's active.
Then run arp -a from a command line to get the MAC addresses.
Then, from the MAC addresses you will find the manufacturer names and that may be a clue.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 38415777
A real simple way of finding out where it's at is this:

From a computer that got a lease from this rogue DHCP server, do an IPCONFIG /ALL in Command Prompt.  It should show you the IP of the rogue server.
0
 

Author Comment

by:russgarrett
ID: 38415889
it does show the ip 192.168.0.1 but where is it?
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38415908
If you get the MAC address of the device then you will have a pretty good clue.  As before....
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38415943
It is also possible to set up DHCP service within RRAS, I would verify that is not the case under NAT.

Presumably these are wired connections and not wireless with the possibility of interference from a neighbor.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 38415950
it does show the ip 192.168.0.1 but where is it?

Here is one way you could find it:

From a server/workstation that has two NICs (or from a virtual machine you could add a 2nd network card and put it on the 192 subnet) you could give one of them a 192 address and see if you can remote desktop to it or telnet to it or hit it by web browser.
0
 

Author Comment

by:russgarrett
ID: 38415999
239.255.255.250

255.255.255.255

192.168.0.100

mac address out to side does this help

arp -a
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 2000 total points
ID: 38416052
????

mac address where???

What are these numbers you've shown?
239.255.255.250 is a really strange number .. what is it or where did you get it or from?
255.255.255.255 looks like a net mask that means "this address and only this address"
192.168.0.100 looks like something more likely a client address... is it?

Have you tried what I suggested from start to finish?  Here it is again:

Set up a machine on the network with a static address like: 192.168.0.233 / 255.255.255.0
(The reason for doing it this way is so you can control everything manually.  The assumption is that 233 isn't a very likely address to be already assigned.)
Don't worry about the "copper" belonging to 10.0.0.0 .. it doesn't.
Ping the entire range from 192.168.0.1 to 192.168.0.254 using something like Ping Scanner Pro or Angry IP Scanner or Very Simple Network Scanner.
After you ping the range, you will see what's active.
Then run arp -a from a command line to get the MAC addresses.
(That is, after the ping sequence, the arp -a command should list all the active ip addresses with their mac addresses).
Then, from the MAC addresses you will find the manufacturer names and that may be a clue.
(You can do this on line.  Go to:
http://standards.ieee.org/develop/regauth/oui/public.html
then put in the first six characters of the MAC address without any separators like "-" or":"
and it will respond with the manufacturer's name of the network interface device.
0
 

Author Comment

by:russgarrett
ID: 38416063
yes
i did and i was wandering where the manufacturer id's were.

thanks!
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38419446
the first six characters of the MAC address
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38419557
If it is any help the whole process of obtaining the MAC and finding the vendor is covered in the link I provided, the very first response your question
0
 

Author Comment

by:russgarrett
ID: 38423046
i have found 9 wireless routers. 2 or 3 were putting out the 192.168.0.1 address. as i removed one the 192 went away but came back so i removed 2 more routers and it seems to be working. the manufacturer id was a linksys but the id did not match for dlink.

now i have to find the other addresses 255.255.255.255 which is illegal. then there is a 224.x.x.x and a 239.x.x.x . i thing these are coming from a 3Com hub. still have to address this. there are only 2 24 port hubs and i unplugged the Cisco and unplugged the cables about 4 at a time from the 3Com. right now DHCP seems to be working from the 2003 server.

it is a church and we are going to see if it continues to work and if it runs out of the 10.0.0.x addresses again.
this is what happens when you don't have any money and a bunch of people just go to Best Buy and install what they want and tell no one.

Will have to let it run till end of next week to see if problems solved and i will be out of town till end of next week.
0
 

Author Comment

by:russgarrett
ID: 38454820
there were 9 or 10 wireless routers that had been installed on the network. most were from people going out and buying their own from Best Buy or Office Depot. 6 were installed that we did not know about.

3 of these were causing the issue. 2 dlinks and a i believe a linksys. when i would remove 1 the problem would go away for a few minutes and then come back until all 3 were removed from the networks.

Thanks !
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38455066
Most companies have very strict rules about employees adding routers.  You can also implement MAC filtering which blocks DHCP assignment to unknown devices.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question