What Is DHCP? — The DORA Flow That Hands Out IP Addresses Automatically

⏱ approx. 8 min views 151 likes 0 LOG_DATE:2026-06-10
TOC

DHCP (Dynamic Host Configuration Protocol) automatically hands out an IP address and various settings to a device that joins a network. The reason you can join a café's Wi-Fi and communicate with zero configuration is that a DHCP server instantly tells you "here's your IP, your gateway, your DNS." The exchange is the four steps Discover -> Offer -> Request -> Ack (DORA). This article covers what's handed out, the DORA flow, how a host with no IP communicates, leases and renewal, and the security angle including rogue DHCP.

01

What DHCP is — freedom from manual config #

To communicate over IP, you need to know at least your "IP address", "subnet mask", "default gateway", and "DNS server". Setting this by hand on every device is impractical. DHCP is the "lending counter" that hands out this initial config every time you connect and reclaims it when you're done.

▸ In plain terms — "borrowing a visitor badge at reception"

When you enter a building, you borrow a numbered visitor badge (an IP address) at reception (the DHCP server). It has an expiry (the lease); to stay longer you renew it. When you leave you return it (or it's reclaimed on expiry). Reception tracks who holds which number in a ledger.

02

What it hands out — not just an IP #

ItemRole
IP addressYour address
Subnet maskThe boundary of "same network"
Default gatewayThe exit (router) to the outside
DNS serverWhere to send name lookups
Lease timeHow long you may use this config

If an attacker swaps the gateway and DNS handed out here, they hijack the traffic path and name resolution wholesale — which leads directly to the security section (§06).

03

DORA — borrow in four steps #

The heart of DHCP is Discover -> Offer -> Request -> Ack, remembered as DORA.

1. DHCP Discover (seek, broadcast)
A device with no IP broadcasts "any DHCP server out there?" across the segment. Its source is 0.0.0.0.
2. DHCP Offer (propose)
A server offers a candidate: "you can have this IP (e.g., 192.168.1.50), here are the GW and DNS." With multiple servers, multiple Offers may arrive.
3. DHCP Request (formally ask)
The device replies (again by broadcast) "I'll formally take 192.168.1.50." This tells everyone which server's Offer was chosen and declines the others.
4. DHCP Ack (confirm, grant lease)
The server approves "confirmed, lease is N hours." Only now does the device start using the IP as its own.
04

How can it communicate with no IP yet? — broadcast and relay #

At the start of DORA the device doesn't even have its own IP yet. So Discover goes out with destination 255.255.255.255 (broadcast to all) and source 0.0.0.0, on UDP 67 (server) / 68 (client).

The catch: broadcasts don't cross routers. If the server is on another subnet, Discover never arrives. The fix is a DHCP relay agent (IP helper): the router catches the broadcast, converts it to unicast, and forwards it to the central DHCP server.

▸ Why Request is also a broadcast

When multiple DHCP servers send Offers, broadcasting Request tells all servers at once "which Offer was chosen", letting the unchosen servers release their reserved IP. That's why everything up to Ack is broadcast by default.

05

Lease and renewal — don't keep it forever #

An assignment isn't permanent; it comes with a lease (rental period). Before it expires, the device renews automatically.

TimingElapsedAction
T150% of leaseUnicast a renewal to the server that granted it (Request -> Ack)
T287.5% of leaseThe original server isn't answering, so broadcast to try renewing with any server
Expiry100%Give up the IP and redo DORA from scratch

To always give a specific device the same IP, use a reservation that binds a MAC address to an IP. You can renew manually with ipconfig /renew (Windows) or dhclient (Linux).

06

Security — the danger of "anyone can answer" #

DHCP has no authentication either, so it's vulnerable to rogue servers and abuse.

AttackMethod and impactDefense
Rogue DHCP serverThe attacker floods fake Offers and gets itself set as the gateway / DNS, MITM-ing all trafficDHCP snooping
DHCP starvationMass Discover with fake MACs exhausts the pool; legitimate hosts can't get an IP (DoS), often a precursor to rogue redirectionPort security / rate limiting
▸ DHCP snooping — only trusted ports may be servers

On the switch, decide that only a trusted port (the real server side) may emit server replies (Offer/Ack), and drop fake Offers coming from user ports. Furthermore, the "IP<->MAC<->port" ledger that snooping builds also feeds the validation for [[arp]] DAI (Dynamic ARP Inspection). The two work as a set.

07

Summary — five things to remember #

  • DHCP hands out IP, mask, GW, DNS, lease automatically.
  • The flow is Discover -> Offer -> Request -> Ack (DORA).
  • The device has no IP yet, so it uses broadcast + UDP 67/68. Another subnet is bridged by a DHCP relay.
  • Assignments are leased. Auto-renew at T1 (50%) / T2 (87.5%). Use a reservation to fix an address.
  • With no authentication it's vulnerable to rogue DHCP / starvation. The defense is DHCP snooping (combined with DAI).
𝕏 Post B! Hatena