Skip to main content
Explainer · networking

How DHCP works

The Dynamic Host Configuration Protocol is the invisible plumbing that lets your phone join a coffee-shop Wi-Fi and start loading pages within seconds. Here is the whole protocol, the lease lifecycle, the IPv6 equivalents, and the failure modes every network engineer eventually meets.

Why DHCP exists

In the early TCP/IP era, every machine on a network had to be configured by hand with four things: a unique IP address, a subnet mask telling it which addresses were "local," a default gateway IP telling it where to send everything else, and a list of DNS resolvers. Forget any of the four and the device worked partially or not at all. Get any one of them wrong and the troubleshooting was painful — IP collisions in particular look like intermittent failures rather than clear errors.

DHCP, standardized in RFC 2131 (1997) as a successor to the earlier BOOTP protocol, automates all of that. A central server hands out leases from a pool of addresses; the client just asks for one when it joins the network and gets back a full configuration ready to use. Today every consumer router and every enterprise switch fabric runs DHCP by default — you almost never see a hand-configured client outside of servers, printers you want to find at a predictable address, or specialized infrastructure.

The four-step handshake: DORA

Mnemonic: Discover, Offer, Request, Acknowledge. Every DHCP transaction starts with these four packets, in this order, broadcast to the network so any DHCP server on the segment can hear them.

  1. DHCPDISCOVER. A new client (or one with an expired lease) broadcasts a UDP packet to 255.255.255.255 on port 67, from source port 68. "Is there a DHCP server out there? I need an IP. My MAC address is X." Because the client has no IP yet, it uses 0.0.0.0 as the source — the broadcast destination is how it reaches a server.
  2. DHCPOFFER. Any DHCP server with a free address in its pool replies: "Here is an IP, here is the subnet mask, here is the gateway, here are the DNS servers, the lease is valid for N seconds." On a network with a single DHCP server (the home case), there's just one offer. On a network with a primary and a backup server, the client may receive multiple offers and pick the first.
  3. DHCPREQUEST. The client formally accepts one offer by broadcasting it. The broadcast lets any other DHCP servers know which offer was accepted, so they can return the addresses they had reserved back to their pool.
  4. DHCPACK. The chosen server confirms the assignment with a final ACK. The client configures its interface, the lease starts ticking down, and ordinary traffic can flow.

Total round-trip: usually under 100 ms on a quiet LAN. If you have ever watched a phone show "connecting…" for noticeably longer than that, something else (Wi-Fi association, captive portal probing, IPv6 router solicitation) is the bottleneck — not the DHCP handshake itself.

The lease lifecycle

A DHCP lease isn't a one-shot deal. The server hands you an address for a finite period (the lease time), with two checkpoints called T1 and T2.

A client can also voluntarily release a lease with DHCPRELEASE — for example, when you disconnect from Wi-Fi cleanly. Some operating systems do this enthusiastically; others (notably mobile OSes that try to roam fast) skip the release and just let the lease expire on the server side.

DHCP options — the surprising number of things DHCP can configure

The OFFER and ACK packets aren't just "here's an IP." They include a list of TLV-encoded options, identified by a numeric code. There are over 150 defined options; the ones that matter most in practice:

Most of the friction in enterprise DHCP rollouts is about getting the right combination of options to the right client class — VoIP phones need different options from laptops, PXE-booting workstations need others again, BYOD devices need a sandboxed set.

Reservations vs. static IPs

For devices you want at a predictable address (printers, NAS, the home server hosting Plex), the right tool is a DHCP reservation, not a hand-configured static IP. A reservation tells the DHCP server "when you see MAC address X, always offer the same address." Three benefits over a static IP:

IPv6's two paths — SLAAC and DHCPv6

IPv6 changes the picture. The protocol design assumed that the address space was big enough that every device could pick its own address without coordination, so the default assignment mechanism is SLAAC (Stateless Address Auto-Configuration):

  1. The router periodically broadcasts a Router Advertisement (RA) containing the network prefix (the first 64 bits) and the gateway.
  2. The host appends an interface identifier — historically derived from the MAC address, now usually a random opaque value (RFC 7217) for privacy.
  3. The host performs Duplicate Address Detection by sending an unsolicited neighbor solicitation; if no one objects, the address is taken.

SLAAC alone doesn't provide DNS or NTP. For that, the host either uses the RDNSS option inside the Router Advertisement (RFC 8106) or runs DHCPv6 in stateless mode to pull configuration from a server. DHCPv6 stateful mode is closer to IPv4 DHCP — the server tracks each address it has handed out and the host requests one explicitly. Enterprise IPv6 deployments almost always run DHCPv6 stateful so they can audit address ownership the same way they did under IPv4.

Common failure modes

Address conflicts

Two devices end up on the same IP. Usually because someone hand-configured a static IP inside the DHCP pool. Symptoms: intermittent disconnects, especially when one of the two devices comes or goes. Fix: either move the static device outside the DHCP pool's range or convert it to a DHCP reservation. Most modern DHCP servers (ISC, Microsoft, MikroTik) ARP-probe before offering an address to catch this preemptively.

Rogue DHCP servers

Anyone on the broadcast domain can run a DHCP server. The fastest reply wins. If a rogue server hands out incorrect gateways or DNS, every device that lands on it routes its traffic through the attacker. This is a classic LAN attack. The mitigation is DHCP snooping on managed switches, which lets you mark specific ports as "trusted" — only DHCP offers from those ports are forwarded.

Pool exhaustion

The DHCP server has handed out every address in its pool. New devices fail to get one. Symptoms: a guest network where the third visitor of the day can't connect even though two have left. Fixes: shorten the lease time so addresses recycle faster, grow the pool, or split visitors onto multiple subnets.

Stuck APIPA (169.254.x.x)

When DHCP fails completely, Windows and macOS fall back to a random address in the 169.254.0.0/16 range. Devices can talk to each other on the same segment but cannot reach the internet. Seeing a 169.254 address is your tell that DHCP is broken — either the server is unreachable or there's a Layer 2 problem stopping the DISCOVER broadcasts from reaching it.

DHCP starvation attacks

A malicious device spams DHCPDISCOVER from random MAC addresses, requesting every IP in the pool. The pool exhausts, new clients fail. Mitigated by port-security on switches (limit the number of MAC addresses per port) and by DHCP snooping rate-limiting.

How to inspect DHCP from a client

Related reading