DHCP Guard

A security feature that prevents rogue devices from handing out bad network settings

What is DHCP Guard?

Every time a device joins your network, it asks for basic connection settings: an IP address, a gateway, and a DNS server. This request goes out as a broadcast, and the first device to respond wins. DHCP Guard makes sure that only your real router is allowed to answer those requests.

Think of it like a classroom where students raise their hand to ask the teacher a question. Without DHCP Guard, anyone in the room could shout out an answer, and the student would just trust whoever spoke first. DHCP Guard makes sure only the actual teacher gets to respond.

Why it matters

Without DHCP Guard, a rogue device on your network can impersonate your router and hand out bad settings. This could redirect your traffic through a malicious gateway, point your DNS to a server that swaps real websites for fake ones, or simply break your internet connection entirely.

This is not just a theoretical risk. A misconfigured second router, a compromised IoT device, or even a misbehaving printer can accidentally act as a rogue DHCP server. When that happens, some devices on the network get working settings from your real router while others get broken or malicious settings from the imposter, making the problem frustrating to diagnose.

What you can do

  • Check whether your router or managed switch supports DHCP snooping or DHCP Guard and enable it if available
  • On UniFi equipment, look for "DHCP Guard" under network security settings
  • On Cisco and other managed switches, enable "DHCP snooping" and mark only your router's port as trusted
  • Avoid plugging consumer routers into your network with their DHCP server enabled; use access point mode instead
  • If you add a second router for a guest network, make sure its DHCP range does not overlap with your main network
  • If devices on your network intermittently lose connectivity or get unexpected IP addresses, a rogue DHCP server may be the cause

What Network Weather shows you

Network Weather checks whether your router or managed switch has DHCP snooping or DHCP Guard enabled, and warns you if rogue DHCP servers could operate unchecked on your network.

Good
DHCP Guard enabled
Warning
DHCP Guard disabled

Check your DHCP Guard status

Try Network Weather