Quiz Entry - updated: 2026.07.14
A device often gets its DNS server address from DHCP. Why does this design choice matter?
It chains trust: whoever runs your DHCP also controls which DNS server you use — meaning a malicious DHCP server can redirect your name resolution and intercept all traffic.
The chain:
You connect to network
↓
DHCP DISCOVER (broadcast)
↓
DHCP OFFER includes: IP, gateway, DNS server ← you trust whoever answers!
↓
You start using the assigned DNS for every query
The attack scenario — rogue DHCP:
- Attacker runs a DHCP server on your LAN (e.g., compromised router, malicious laptop)
- Their server replies to DISCOVER faster than the legit one (race condition)
- Their OFFER lists the attacker's IP as DNS server
- Now every name lookup you make goes through attacker's DNS
- Attacker can return forged IPs for any domain → MITM all traffic
Why this is hard to detect:
- Your machine works fine — DNS resolves, sites load
- The attacker can pass through legitimate IPs for most domains and only intercept specific ones (e.g., bank.com)
- HTTPS catches some of this (cert mismatch warnings) but only for HTTPS sites
Defenses:
| Defense | How |
|---|---|
| DHCP snooping | Switch only allows DHCP responses from authorized server ports |
| Static DNS config | Hardcode 8.8.8.8 or 1.1.1.1 — bypasses DHCP-provided DNS |
| DoH/DoT | Use encrypted DNS to a known provider — your local DNS is bypassed |
| VPN | Pushes DNS through a trusted tunnel |
Three protocols in one flow:
For a single DNS query, the DNS server's IP comes from DHCP, and the DNS server's MAC is resolved via ARP — so DHCP, ARP, and DNS all cooperate to send one name lookup.
Tip: On public WiFi, change your DNS to a trusted provider (Cloudflare 1.1.1.1, Quad9 9.9.9.9). It's a one-line settings change that defeats DNS-based MITM and surveillance.
Go deeper:
Rogue DHCP (Wikipedia) — how a rogue server hands out a malicious DNS/gateway and sniffs traffic.
DHCP snooping (Wikipedia) — the switch-side defense that only trusts authorized DHCP ports.