Hi all,

I administered a LAN at my office. Some of the PCs are configured to get IP address from a DHCP server. I noticed that there's another PC in the LAN acting as a DHCP server by giving false network information e.g IP,netmask,gateway and DNS. This makes the PC cannot connect to the internet. By not searching for the *false* DHCP server and shut the service, is it possible to set priority which DHCP server should be giving network info for the LAN? or any other way.

You probably should locate that computer and shut down that service, or isolate it if you can. Seems to me a rogue DHCP server, could be very dangerous. For example, setting the gateway IP to a man-in-the-middle gateway to intercept all outgoing traffic before sending it off to the real gateway.

Surely there should only be one DCHP server on your LAN? Assuming that your router does DHCP, seems best to use that and turn off any others.

It seems out of control to control lots of PCs in a LAN. Some PCs may have dhcpd up and running. I read there's authoritative options that we can use in dhcpd.conf. How effective the option is?

If it's anything like DNS, authoritative settings only make DHCP servers dependent on each other (for updating their info - ie the IP addresses in use).
However, think about what would happen if your authoritative DHCP server is temporarily unavailable.
Since DHCP basically works via broadcasts, your PCs will most likely end up contacting the -potentially malicious- false DHCP server.

So, I agree with jschiwal and the others. The rogue DHCP server must be blocked from sending/receiving DHCP messages (blocking broadcasting may do the trick) and/or have it's DHCP service terminated.

That seems an poor excuse to me. If you're administering the LAN, you'll HAVE to lay down the law.
The administrator must be the boss of his/her own LAN.
Think about all the complaints from other users if you don't shut down the rogue server, for instance...

A hint: firewalls are not only used to keep out unwanted intruders. They are also useful to prevent malicious users on a LAN from doing harm to other users.

How do i block the broadcasting from the rogue server(s)?

Edit:
After a little searching, I found that I was mistaken.
It's the DHCP client that broadcasts across the network to get a DHCP server to respond.

Blocking the DHCP broadcasts would thus only prevent clients from using DHCP to get IP addresses.

Blocking the broadcasts from reaching some specific hosts (ie the rogue servers) may not be so straight-forward.

So, sorry for the confusion. I was mistaken.

oo. it's ok. let's discuss the matter. I have read in other thread that Windows clients are too picky in searching DHCP server. Meaning that it will get the IP from the one that can respond faster. If there's another DHCP server in a LAN nearer, it will definitely get from that one first.

I believe that's not only true for Windows DHCP clients.
Basically, DHCP works like this:
* clients don't know their own IP address nor that of the DHCP server,
so they issue a network wide broadcasted DHCP request
* broadcast is received by all DHCP servers
* all servers respond
* clients "picks" a server (usually the fastest/nearest one, since it's reply is simply
received first)
* client then finalize the DHCP request by contacting the picked server.
* all other servers don't get a reply, probably time out or something and then say that the
IP address they proposed to the client is once again "open" for all DHCP clients to claim.

That seems logical, no?

Most clients will use the first DHCP answer they get, so the "pickyness" you described is probably the
standard client behaviour.

If you know the IP of the rogue server, you can probably block
some or all network traffic to it, but this may not necessarily work for the broadcasts.
However, the client does send an "acknowledgement" to the server, so that the server knows that the IP
it has suggested is now occupied by the client who sent the broadcast (ie the server knows it has been "picked"). Maybe you could block such acknowledgement messages. They aren't IP broadcasts, of course.

Then again, if you know the server's IP address, you could also locate it and make sure the DHCP service is shut down.

yes. I know the server's IP address but I am thinking of ways to prevent this automatically even without clients reconfiguration if that's possible/permissible.