Does Disabling DHCP on Your Router Really Help Your Security?

Unless you’re hooking up one single computer to an Ethernet-based Internet connection, there’s a router somewhere between every device you use and the World Wide Web. You depend on this router to keep you safe, but its default settings might not always be the most optimal to harbor a secure environment. Some sites are telling their readers now that disabling DHCP and configuring a static IP on each device is a significant step in the process of ensuring your security. But does this really help you?

If you’re a bit confused right now, don’t feel bad. It’s not like the average Internet user has to know what the dynamic host configuration protocol (DHCP) is. But that’s why we’re here!

DHCP, in short, is the protocol your router uses to automatically give each of your connected devices an IP. If your router’s IP is 192.168.0.1, the first computer you connect to it may be assigned the IP of 192.168.0.2. Next in line is 192.168.0.3, and so on, and so forth. Your devices may not always have the same IP since the router just plops whatever IP number it wants on a first-come, first-serve basis. That’s what the “dynamic” part of DHCP represents. Your IP may change at any point.

A static IP  address doesn’t change. It’s something you configure from your computer’s network settings and force the router to recognize. This way, you can be sure that one particular computing device connected to your router will always have its configured IP address. If you turn off your computer right now and its IP was 192.168.0.2, it will have the same IP when you turn it on again.

dhcp-wardriving

Many people consider DHCP to be quite risky for your network, especially if you have an open Wi-Fi connection (i.e. you don’t require a “password” to connect to your router through Wi-Fi). This is because every device that requests a connection will be admitted into the network and assigned an IP regardless. The idea is that most devices don’t anticipate the need for a static IP address and try to request an IP from the router. If the router doesn’t have DHCP enabled, it will ignore that request and the device won’t connect.

What if you have a WPA2-protected Wi-Fi connection? Do you still need to disable DHCP?

Here’s where disabling your DHCP may actually be useless. Why should you take such a measure when you already have a way to prevent outsiders from entering your network?

This isn’t the only problem with the whole concept. The average router uses either 192.168.0.x or 10.0.0.x as its IP. Configuring a static IP for other computers in your networks requires that you be in the same subnet as the router, so you’re stuck with whatever IP range your router uses, limiting your choices. Of course, you can always change the router’s internal IP address and that’s that. However, most of the people who advocate disabling DHCP do not include changing the router’s IP (to something obscure, like 167.12.35.2 or something like that) in the process.

If you really want to maximize security, set a WEP/WPA/WPA2 password for the router’s Wi-Fi antenna. I highly suggest using the latter two (WPA/WPA2) since WEP has some massive holes in it that virtually any mediocre hacker can push through.

And if you’re intent on disabling DHCP, you’re doing it for nothing if you don’t also change the router’s internal IP to something routers don’t typically use. Otherwise, it will be easy to guess the router’s IP address to configure a device’s static IP within that particular range. You’d have just created one more step in the process of gaining access to your network rather than having thwarted a security threat.

If you’d like to discuss this a little more, you’re more than welcome to submit a comment on the subject below!

17 comments

  1. DHCP is not intended to be a security feature. It’s just a comfort feature. Even restricting access to only know MAC addresses will not help. If anybody has access to your wireless (be it because it’s not encrypted or he knows the password) he can easily sniff the packets for IP adresses or MAC addresses and set his machine to a address inside the network or spoof a valid MAC address. DHCP does not lock out unwanted guests. Only strong encryption (WPA, WPA2) and a good passphrase do.

    • Precisely. Disabling DHCP does very little (if anything) in terms of protecting you. It only presents a superfluous inconvenience. WPA2 is by far better, in terms of restricting wireless access, than any other method.

  2. I don’t think so, Because normal person can’t hack wireless devices only hackers can do that, and it’s not hard for them to findout what never is using router and what’s the gateway for that, So I’m totally disagreed on this that Disabling DHCP helps to improve Wireless security.

    • Agree, it is worthless advice. The only advice that actuall have any security value is turning on WPA2 and turn off WEP and if possible turn off WPA too.

      Do not turn off DHCP server, I know how to figure out where the router are and what the IP net address are.
      Do not turn on locking on MAC addresses, as I know how to figure out which MAC addresses are allowed and set my machine to that one.

      And the advice in this article about random IPv4 address are just bad.

      Yes, change IP address are nice but not for security reasons. It is good for the computer to identify which network it is connected to. So routers and your LANs address should be kind of random, but ONLY from a private address range, which are not random at all.

      Here is how you can select one address for your router.
      So set routers address to one of 192.168.X.1 or 192.168.X.254, where X are one number in the range 0 … 255, like 192.168.42.254 and your nets address then is 192.168.42.0 (notice the zero in the end, that is a network address)
      OR
      Set it to 10.X.Y.1 or 10.X.Y.254, where X and Y are two numbers in the range 0 … 255, like 10.142.192.1 and nets address then is 10.142.192.0

      • Yes, changing the subnet while DHCP is disabled may make life harder, but an insistent hacker will get his way nonetheless. WPA/WPA2 are hands-down the best bets for anyone enabling Wi-Fi.

  3. In additon to WPA2, make sure that the router is not broadcasting its SSID to the world.

    • Please, please and please do NOT recommend people to turn of SSID. It actually LOWERS your security of your clients.

      To be able to connect to a router that has turned off the SSID, the client have to ask if it actually is near by “shouting” out in the eather if your router with the SSID you want are there. And then the black hat just have to configure his device to answer “I am!”, and you are cought.

      It will not even protect your router, as the black hat just needs to put his device near your home and wait for your client to access the router and it will know what SSID you have. Only unconveniant for you and no security. Like turning of DHCP server.

      And your client will shout out which SSID it want too connect to each time you turn on the wireless network on your client. At home or at the internet caffé or from your pocket.

      So turning off the SSID is just puting your clients in risk asking by asking black hats if it can be connected to their access point.

      • Well, it’s not something that should be done, but you’re not harming yourself by doing it. And yes, you’re absolutely correct on account of the fact that since Wi-Fi operates through radio, you must broadcast everything you send and receive, including the SSID handshake. End-to-end encryption (WPA/WPA2) and VPNs are your friends, more than anything else.

        • Well, you actually harming your self when turning off SSID broadcasting from your AP. Instead of the client listening which AP are near and select which one to connect to, your client asks if your AP are near.
          And a black hat could program its device to fool your client and claim it is your AP. And now you have a man in the middle attack happening. Where the black hat could listen in on most/all your traffic, including encrypted one. And this could happen without you being aware of it from your phone in your pocket while you walk by a restaurant or café.
          It only makes it harder for your legitimate user and even put them at risk.

          • True! I had not thought to consider this possibility. I completely forgot about the man-in-the-middle attack. Thanks for sharing :)

    • The lack of SSID broadcasting can be an issue on some mobile devices that don’t allow you to manually input networks. If you don’t have those issues, knock yourself out. In that case, disabling SSID broadcasting is useful if one doesn’t just keep the SSID that the router came with. Everyone knows “linksys”, “d-link”, and the like.

      • No, that isn’t the problem. The problem is those devices that can handle non-SSID broadcasting access points.
        Hiding SSID is only security by obscurity. And that isn’t a useful security.

        Just turn on WPA2, have a good password and you have an easy to use *and* secure AP.

  4. Having more than 1 DHCP server on your network isn’t smart move, but dumb and within a week your whole network will go down, leaving you with the question wtf is wrong with you. Imagine you got 1 router, 3 wifi extenders and 6 access points . router->wifi extenders->access points
    You should mention about this fact, as it can cause serious problems if you work in big company and plug some device in the network with “dhcp” enabled, your boss will hire some technicians and they’ll quickly discover that the reason the whole network to go down is you. I bet that you’ll be fired on the same day.

    • This article was more about home networks. Any technician working in a corporate environment of course knows that there has to be one single point of authority over the IPs assigned throughout the building. So, one router will act as a router and the rest will act as network switches, following the instructions of that router’s DHCP server.

  5. Thanks guys! Refreshing for a change to browse online forums for computer support and read a thread that is not only intelligent but cordial. Not to mention, looks like it has saved me a lot of time finding this page. I was wondering if the service DHCP allowed in part remote access desktop connections across devices … apparently not …

  6. I’m having a problem with my Xbox one changing ip addresses every time I turn it off and on. Will disabling the dhcp stop changing the ip address on my Xbox. Or is there a better method of stopping my up address from changing when connecting to Xbox live?

Comments are closed.

Sponsored Stories