LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

A device often gets its DNS server address from DHCP. Why does this design choice matter?

It chains trust: whoever runs your DHCP also controls which DNS server you use — meaning a malicious DHCP server can redirect your name resolution and intercept all traffic.

The chain:

You connect to network
  ↓
DHCP DISCOVER (broadcast)
  ↓
DHCP OFFER includes: IP, gateway, DNS server   ← you trust whoever answers!
  ↓
You start using the assigned DNS for every query

The attack scenario — rogue DHCP:

  1. Attacker runs a DHCP server on your LAN (e.g., compromised router, malicious laptop)
  2. Their server replies to DISCOVER faster than the legit one (race condition)
  3. Their OFFER lists the attacker's IP as DNS server
  4. Now every name lookup you make goes through attacker's DNS
  5. Attacker can return forged IPs for any domain → MITM all traffic

Why this is hard to detect:

  • Your machine works fine — DNS resolves, sites load
  • The attacker can pass through legitimate IPs for most domains and only intercept specific ones (e.g., bank.com)
  • HTTPS catches some of this (cert mismatch warnings) but only for HTTPS sites

Defenses:

Defense How
DHCP snooping Switch only allows DHCP responses from authorized server ports
Static DNS config Hardcode 8.8.8.8 or 1.1.1.1 — bypasses DHCP-provided DNS
DoH/DoT Use encrypted DNS to a known provider — your local DNS is bypassed
VPN Pushes DNS through a trusted tunnel

Three protocols in one flow:

For a single DNS query, the DNS server's IP comes from DHCP, and the DNS server's MAC is resolved via ARP — so DHCP, ARP, and DNS all cooperate to send one name lookup.

Tip: On public WiFi, change your DNS to a trusted provider (Cloudflare 1.1.1.1, Quad9 9.9.9.9). It's a one-line settings change that defeats DNS-based MITM and surveillance.

Go deeper:

From Quiz: INTROL / Protocol Analysis | Updated: Jul 14, 2026