How does DHCP work?

Table of Contents

This is DHCP - introduction

From today's perspective, it is impossible to imagine a modern network infrastructure without the Dynamic Host Configuration Protocol.

If DHCP is activated, it enables automated IP assignment in a network. Especially in larger networks, such as company networks but also in common home networks, such as IP releases via the Fritzbox's DHCP service, the standard for assigning IP to end devices is now automatically configured and set.

This means that manual IP assignment no longer needs to be carried out. The protocol not only takes care of assigning an IP to a device, but also automatically supplies the most important network parameters (more later). This protocol works at Layer 7 (Application Layer) of the OSI model.

DHCP Dynamic Host Configuration Protocol

How does the Dynamic Host Configuration Protocol work?

The Dynamic Configuration Host Protocol works on the client-server principle. When a client is integrated into a network, it normally requests an IP configuration from an associated DHCP server. The already configured server has a so-called pool (range) of IP addresses that it can assign.

In order for the client to have an IP address, it must communicate with the DHCP server. However, this is initially not possible directly. This is because the client does not have a valid IP address, subnet mask or even gateway through which the client can reach the server. The only thing the client can show is its MAC address.

The following explains the individual steps of how the client establishes a connection to the DHCP and receives an IP configuration from the server. This procedure is also known as the “DORA” principle.

Do you want to get started as a penetration tester?
Qualify for your dream job with our practice-oriented intensive course!
To the Junior Penetration Tester certificate course

DHCP Discover

So that the client can reach the associated DHCP server, the client sends a UDP packet with a broadcast request (on layer 2 and layer 3) and the source address (see Figure 1) In short, broadcast means that the packet is sent to all accessible devices within a network and the device being searched for responds. The remaining devices simply discard the packet.

If the DHCP server is not located in the same subnet as the requesting client, the request must originate from the client via a DHCP relay agent processed because broadcast requests are not routed beyond a subnet. The relay agent is usually implemented on a router or switch with a routing function and sends the client's request in the Uni-Cast to the requested DHCP server.

DHCP Offer

The server responds with an offer. It suggests a free IP address to the client and sends this back to the client together with other important network parameters (see later) using a MAC unicast (assuming the server is in the same subnet as the requesting client).

If the DHCP server is in a different subnet than the requesting client, the server sends its information back to the DHCP relay agent in unicast, which then sends it to the desired client in MAC unicast. (see Figure 2).

DHCP request

In order to check whether the proposed IP address that was provided by the server is valid or whether another client has been assigned this IP address in the meantime, the requesting client uses an ARP request to check whether the existing IP address is still valid. If this is the case, the client sends a request back to the server and asks for the configuration.

DHCP acknowledge

After receiving the successful request from the client, the server checks whether the configuration is still free and, if this is the case, sends the IP configuration to the client.

DHCP Operations DORA

What does the IP configuration include?

Depending on the configuration, the following network parameters can be included:

  • IP address with subnet mask
  • Default Gateway
  • DNS server for name resolution
  • Network Time Protocol (NTP)
  • Proxy Server
  • POP3

All this data in the configuration is called “LEASE”. This LEASE is only valid for a certain period of time. This means that the client is only provided with the configuration for a certain period of time.

After approximately 50% of the lease duration, the client sends another request in Uni-Cast to the DHCP server (see Figure 2) and asks for a lease renewal. If the lease is still valid, the DHCP server sends confirmation of the renewal of the lease using an acknowledge. The lease will therefore be valid again.

The allocation of addresses can be tracked in three different ways:

Static assignment

The IP addresses are permanently assigned based on the MAC addresses. The address is assigned for an unlimited period of time. An example of an application would be a printer that should always be accessible at the same address.

Automatic assignment:

The DHCP server has a range (pool) of IP addresses. Once the address from this range has been assigned to a client, it belongs to that client indefinitely, because here too the IP address is bound to the MAC address. This mapping is not lost even if the client is powered off because the mapping is stored in the DHCP server's cache.

Dynamic allocation:

An area is also defined here, but the allocation of addresses is also tied to a defined lease period. After the lease time has expired, the address can be reassigned again. During the lease time, the client can request an extension from the DHCP server.


If the requesting client does not receive a DHCP configuration because the service is not available or has even failed, the client uses a so-called APIPA address. (Automatic Private IP Addressing). This enables the client to continue working locally. However, it usually does not establish a valid connection to the network. (unless other clients also have an APIPA address). The client tries to obtain a valid address every 10 minutes. APIPA is also used for troubleshooting.

The area where APIPA is located is: 169.254.XX /16. (Class B)

Don't want to waste time on your way to becoming a penetration tester?
In our courses, led by experienced penetration testers, you will learn everything you really need for this.
Go to the Junior Penetration Tester Intensive Course
Follow for more!
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!