Home Blog What Is DHCP? How It Works, Ports, and Security Risks

What Is DHCP? How It Works, Ports, and Security Risks

DHCP automates IP assignment but lacks built-in security.
Key Points
  • DHCP is a foundational networking protocol that automates network connectivity and IP address assignment.
  • While DHCP is essential for connectivity automation, it lacks built-in security controls and must be paired with network-level protections.
  • DHCP remains a highly relevant protocol in modern networking environments.

What Is the DHCP Protocol?

The DHCP protocol, more commonly referred to by its acronym alone — DHCP — is the Dynamic Host Configuration Protocol. It streamlines device management across networks by automatically assigning IP addresses and other network configuration settings DHCP operates at the application layer of the TCP/IP model and uses UDP as its transport protocol.

In the early days of network management, IP addresses had to be manually configured on each device in the network. While this was fairly easy for small networks, it became time-consuming and error-prone for networks that spanned dozens, hundreds, or even thousands of devices.

The need for a more streamlined solution led to Bootstrap Protocol (BOOTP) in the 1980s. This protocol automatically assigned IP addresses within a network, but once an IP address was set, it couldn’t be changed.

To solve that issue and others, the DHCP protocol emerged in the 1990s to provide a more dynamic solution for IP configuration in large networks.

What Layer is the DHCP Protocol?

DHCP works on a client-server model. When a new device joins a network without a preconfigured IP address, it initiates DHCP to obtain network configuration parameters. It gets this information from the server.

The general process encompasses four steps, also known as DORA (Discover, Offer, Request, Acknowledgment):

Step 1: DHCPDISCOVER

During DHCPDISCOVER, the client broadcasts a message to 255.255.255.255 (or uses a local broadcast address) because it does not yet have an IP address.

Step 2: DHCPOFFER

The DHCP server responds with a unicast or broadcast DHCPOFFER message containing an available IP address and configuration parameters.

Step 3: DHCPREQUEST

In DHCPREQUEST, the client broadcasts its acceptance of a specific offer so that other DHCP servers withdraw their proposals.

Step 4: DHCPACK

DHCPACK, or DHCP acknowledgement involves the DHCP server sending the client the IP address, subnet mask, default gateway, and DNS server.

How DHCP Works: An Example

When a new employee connects their laptop to a corporate Wi-Fi network, their device doesn’t have an IP address on this network yet. So, it sends a DHCPDISCOVER message to find a DHCP server on the network.

The DHCP server responds with an available IP address (DHCPOFFER). The laptop accepts the offer (DHCPREQUEST), and the server confirms the assignment (DHCPACK), providing the IP address, subnet mask, default gateway, and DNS settings. This all occurs within seconds, and the laptop is then fully configured to access the internet and internal network resources.

What Information Does DHCP Provide to Devices?

Beyond assigning an IP address, DHCP provides configuration details that allow a device to actually communicate on a network. Without this information, a device may physically connect, but it won’t be able to access the internet or network resources.

This information includes:

  • Subnet mask: Identifies which part of the IP address refers to the network and which refers to the host address
  • Default gateway: Allows traffic to reach external networks
  • DNS servers: Act as a directory, tying a URL to a specific IP address
  • Duration of lease: Determines how long the configuration is valid for before it must be renewed

What Is a DHCP Lease?

Configuration details and IP assignment are not permanent. The DHCP server provides the client with configuration information on a lease basis. Each lease has an expiration date, after which the client must renew its lease or lose its network access.

Typically, the client will broadcast DHCPREQUEST halfway through its lease to reset the timer and ensure renewal. If the DHCP server is unavailable, it will send the renewal request again before the lease expires.

If the lease is renewed, the client continues to operate within the network without interruption. If the lease is not renewed, the IP address is reclaimed by the DHCP server and returned to the available address pool, where it can be assigned to new devices as they join the network.

What Is a DHCP Protocol Port?

DHCP utilizes User Datagram Protocol (UDP) ports, virtual destinations on a device that allow it to send and receive data. Specifically, UDP ports 67 and 68 enable communication between the client and DHCP server.

  • Port 67: DHCP servers use this port to listen for incoming broadcasts from clients, like DHCPDISCOVER and DHCPREQUEST
  • Port 68: Clients (computers, phones, and other devices) use this port to receive replies, like DHCPOFFER and DHCPACK, from the DHCP server

DHCP communication relies on messages sent via these UDP ports. Because the new devices don’t know where the DHCP server is, they broadcast the initial DHCPDISCOVER to all devices on the local network.

However, in many instances, the DHCP server may be located in another region — like a corporate headquarters. But the broadcast is local to a network, meaning the message can’t reach past its local subnet without help.

To solve the issue, DHCP uses relay agents configured in large networks to forward DHCP messages between clients and servers. A router can be configured as a DHCP relay agent to enable the DORA process across subnet boundaries.

Does the DHCP Protocol Include Security Controls?

The short answer is no. DHCP was not designed as a security protocol. It prioritizes connectivity and automation for network management and doesn’t have any native authentication or encryption.

DHCP does not verify device identity, user identity, or device compliance status, meaning any device capable of sending a DHCP request can receive network configuration if additional security measures are not taken. This becomes especially problematic in modern environments with BYOD policies, IoT devices, and remote or guest connections.

Common security risks of DHCP include:

  • DHCP spoofing: Malicious actors may set up rogue servers to impersonate legitimate DHCP servers to intercept or manipulate traffic.
  • DHCP starvation attacks: Attackers perform a DoS attack, exhausting all available IP addresses in the pool to prevent legitimate devices from connecting to the network.
  • Information disclosure: Unencrypted DHCP traffic can be monitored to map network structure and services.

Best Practices for Secure DHCP Implementation

Because DHCP lacks built-in security controls, organizations should implement network-level safeguards to reduce risk and prevent misuse. Common best practices include:

  • DHCP snooping: A security feature in network switches that acts as a firewall between untrusted devices and DHCP servers
  • Applying port security: Limits the number of valid MAC addresses that can connect to a specific port
  • VLAN segmentation: Contains attacks to isolated networks and reduces broadcast noise
  • Rate limiting: Limits the number of requests a client can make within a set timeframe

It’s important to note that these measures only protect the DHCP process. DHCP is responsible for assigning network configuration; it doesn’t determine whether a device can be trusted.

Modern networks pair DHCP with identity and certificate-based access controls, such as 802.1X authentication, device certificates, and zero-trust network access (ZTNA), to ensure only authorized devices are granted network connectivity.

Is DHCP Still Relevant Today?

Yes – DHCP is still a widely used and foundational protocol. Most networks, particularly in enterprise and, campus environments and Wi-Fi networks, rely on DHCP for day-to-day connectivity. Its ability to automatically assign and manage IP configurations at scale makes DHCP invaluable as networks continue to grow more complex.

Static IP addresses are still used in some cases, such as servers, network appliances, and critical infrastructure, but they represent only a small portion of most large networks.

In cloud-based environments, DHCP is often embedded into the platform with dynamic IP assignment processing behind the scenes. With the adoption of IPv6, technologies like DHCPv6 and SLAAC coexist to support modern addressing needs.

Overall, DHCP is a critical aspect of network management, but to ensure security, it should be paired with access controls like 802.1X and zero trust frameworks. To learn more about modern network security solutions from SecureW2, including JoinNow Dynamic PKI and Cloud RADIUS for truly passwordless, continuous authentication, reach out today.

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

A technical guide explaining PKI authentication, certificate validation to secure network access.
PKI & Certificate-Based Authentication February 26, 2026
What Is PKI Authentication? How It Works for Enterprise Security

PKI authentication uses digital certificates and asymmetric cryptography to verify user and device identity. This guide explains how PKI works, how EAP-TLS enables certificate-based authentication, and why enterprises rely on...

By Vivek Raj 3 min read
SSL stripping downgrades HTTPS to HTTP to expose plaintext traffic.
Cybersecurity February 26, 2026
What Is SSL Stripping? How It Works and How to Prevent It

SSL stripping is an on-path attack that downgrades HTTPS to HTTP, allowing attackers to intercept unencrypted traffic when HSTS protections are absent.

By Vivek Raj 3 min read
There are a number of potential Wi-Fi authentication issues each with a different cause and solution.
Network Security February 26, 2026
How to Fix and Prevent a Wi-Fi Authentication Problem

Wi-Fi authentication problems can result from incorrect credentials, security mismatches, certificate issues, or RADIUS policy errors. Learn how to troubleshoot and prevent them in home and enterprise networks.

By Vivek Raj 4 min read
A subnet mask defines IPv4 network boundaries, enabling accurate routing and controlled broadcast domains.
Network Infrastructure February 26, 2026
What Is a Subnet Mask? Definition, Examples, and How It Works

A subnet mask is a 32-bit value used to determine the network and host portions of an IPv4 address, supporting efficient subnetting and traffic control.

By Vivek Raj 3 min read
A MAC address identifies network interfaces at Layer 2, but it can be spoofed and should not be trusted alone.
Network Infrastructure February 26, 2026
What Is a MAC Address? How It Works and Security Risks

A MAC address is a Layer 2 hardware identifier used for local network delivery, but it lacks cryptographic security and can be spoofed.

By Vivek Raj 3 min read
A network bridge connects LAN segments at Layer 2, but lacks modern security controls.
Network Infrastructure February 25, 2026
What Is a Network Bridge? How It Works and Security Risks

A network bridge is a Layer 2 device that forwards Ethernet frames between segments using MAC address learning, with important performance and security limitations.

By Vivek Raj 3 min read