← All concepts
Networking

DHCP explained: how a device gets its IP address

From zero to online in four broadcast packets — the protocol that hands out IP addresses automatically.

13 min read · updated 20 Jun 2026
This concept is explained in five layers — from a simple analogy up to a deep technical dive. Read top-to-bottom, or jump to your level.
On this page
Level 1·A magic address machine that gives every device a name tag.

Explain like I'm 5

Imagine you walk into a huge party and nobody knows who you are. You shout out to the room: "Can someone give me a name badge?" A friendly person at a table hears you, looks at their list of spare badges, and shouts back: "Here, take number 47!" You shout "I'll take number 47!", they confirm "It's yours!", and now everyone at the party knows you as number 47.

That's exactly what happens when your phone or laptop joins a network. The device shouts (broadcasts) "Does anyone hand out addresses?", the DHCP server replies with a spare one, the device claims it, and the server confirms. Four shouts — done. Your device now has an address so it can talk to everyone else.

The key idea

DHCP means you never have to type an IP address by hand. The network sorts it out automatically, every single time.

The address isn't yours forever, though — it's more like borrowing a library book. After a while (the lease time) you have to ask to keep it, or the server lends it to someone else.

Level 2·What DHCP is, why it exists, and the four magic packets.

Beginner

Every device on an IP network needs at least four pieces of information before it can communicate: an IP address, a subnet mask, a default gateway, and one or more DNS server addresses. Before DHCP, a network administrator had to configure all of that by hand on every machine — laptops, printers, phones, servers. On a network of a few hundred devices that's a full-time job. On a network with thousands of devices joining and leaving throughout the day, it's impossible.

The problem DHCP solves

Manual IP configuration doesn't scale. Typos cause duplicate addresses. Tracking which device has which address becomes a spreadsheet nightmare. DHCP replaces all of that with an automatic, auditable, centralised system.

DHCP is defined in RFC 2131 (IPv4) and works by having a central server maintain a pool (range) of available IP addresses and hand them out on demand. Each assignment is called a lease — a temporary loan of an address for a defined period.

The conversation between a new device (client) and the server follows four steps, nicknamed DORA:

  1. DISCOVER — the client broadcasts "Is there a DHCP server out there?" (it has no IP yet, so it can't address anyone directly).
  2. OFFER — the server responds with a proposed IP address and configuration.
  3. REQUEST — the client broadcasts "I'd like that address please" (broadcast again, in case multiple servers offered).
  4. ACK — the server confirms "It's yours for the next N hours/days".
Why broadcast?

The client sends a broadcast because it doesn't yet have an IP address — it literally cannot send a targeted packet. The server identifies the client by its MAC address, which is baked into the network card at the factory.

Level 3·The DORA exchange in detail, lease contents, renewal timers, and relay agents.

Intermediate

Let's walk through each DORA packet in detail, then look at what a lease actually contains and what happens when it needs renewing.

Client (no IP yet)DHCP Server (192.168.1.1)DISCOVER(broadcast, src 0.0.0.0)OFFER(proposed IP + options)REQUEST(broadcast, "I want that IP")ACK(confirmed lease)
The DORA exchange — four packets from "no IP" to "fully configured"

A few important details about those packets:

  • DISCOVER is sent from 0.0.0.0 to 255.255.255.255 — the client has no source address yet.
  • OFFER includes a proposed IP address, lease duration, and server identifier. Multiple servers may each send an offer; the client picks one (usually the first received).
  • REQUEST is still a broadcast — this tells any server whose offer was not chosen to release the address they were holding.
  • ACK commits the lease. The server notes in its database that the address is taken until the lease expires.

A lease is much more than just an IP address. Here is what a typical DHCP ACK delivers:

DHCP OptionCodeExample valuePurpose
IP Address192.168.1.42The address assigned to this client
Subnet Mask1255.255.255.0Determines the local network boundary
Default Gateway3192.168.1.1Where to send packets for non-local destinations
DNS Servers68.8.8.8, 8.8.4.4Name resolution servers
Lease Time5186400 (24 h)How long the address is valid
DHCP Server ID54192.168.1.1Which server issued the lease
Domain Name15corp.example.comDNS suffix for short hostname lookups
NTP Servers42192.168.1.5Time synchronisation servers

DHCP defines over 100 option codes. Routers, vendors, and even network-boot systems use custom options to deliver extra configuration.

Lease renewal follows two timers built into the ACK:

  1. 1
    Lease granted
    T=0
  2. 2
    T1 (~50% of lease time)
    Unicast RENEW to original server
  3. 3
    T2 (~87.5% of lease time)
    Broadcast REBIND — any server
  4. 4
    Lease expires
    Address released; client must restart DORA
Lease lifecycle — T1 and T2 renewal windows
  • T1 (renewal): at roughly 50 % of the lease time the client sends a unicast DHCPREQUEST directly to the server that issued the lease. If the server responds with an ACK, the lease is extended.
  • T2 (rebinding): if T1 renewal fails (the original server is unreachable), at ~87.5 % the client broadcasts a DHCPREQUEST to any available DHCP server asking for a rebind.
  • Expiry: if no server responds before the lease expires, the client releases the address and starts the full DORA sequence again.

DHCP relay agents (also called IP helpers) solve the obvious problem that DHCP DISCOVER is a broadcast — and routers do not forward broadcasts between subnets. Without a relay agent, you would need a DHCP server on every single subnet.

A relay agent is a small piece of software running on the router (or layer-3 switch) at the edge of each subnet. When it receives a broadcast DISCOVER on a local interface, it inserts the client subnet's address into the giaddr (gateway IP address) field and unicasts the packet to the central DHCP server. The server uses giaddr to know which pool to allocate from, and the reply goes back via the relay agent to the client.

interface GigabitEthernet0/1
  description "Warehouse subnet 10.20.30.0/24"
  ip address 10.20.30.1 255.255.255.0
  ip helper-address 10.0.0.5
!
Cisco IOS — enabling a DHCP relay agent on a router interface
One server, many subnets

With ip helper-address (or the equivalent on your platform), a single DHCP server can serve every subnet in your organisation. The relay agent bridges the broadcast/unicast gap transparently.

Level 4·Security threats, reservations, DHCPv6, SLAAC, and PXE network boot.

Advanced

Once you understand how DHCP works mechanically, the next step is understanding where it can go wrong — and how to defend it.

Rogue DHCP servers are the most common attack. Because the client takes the first OFFER it receives, an attacker who can plug in a device (or run a VM) and respond faster than the legitimate server can hand out a malicious gateway and DNS server. Every client that accepts the rogue lease is now sending traffic through the attacker — a textbook man-in-the-middle attack.

DHCP starvation is a denial-of-service variant: an attacker floods the server with DISCOVER packets, each with a spoofed, unique MAC address. The server allocates an address for every request until the pool is exhausted. Legitimate clients then get no address and cannot join the network.

DHCP has no built-in authentication

Any device on the network can impersonate a DHCP server or flood the server with requests. The protocol trusts the network. Your switch infrastructure must enforce trust boundaries.

DHCP snooping is the primary mitigation, implemented at the switch layer. You designate one or more switch ports as trusted (uplinks to the real DHCP server or relay agent) and all other ports as untrusted. The switch inspects DHCP traffic and:

  • Drops any DHCP OFFER or ACK arriving on an untrusted port (killing rogue server responses).
  • Builds a snooping binding table mapping MAC address to IP address to VLAN to port.
  • Enforces rate limits on DISCOVER packets from untrusted ports (mitigating starvation).
  • Feeds the binding table to Dynamic ARP Inspection (DAI) and IP Source Guard for additional protection.
ip dhcp snooping
ip dhcp snooping vlan 10
!
interface GigabitEthernet0/48
  description "Uplink to core switch"
  ip dhcp snooping trust
!
Cisco IOS — enabling DHCP snooping on a VLAN and marking the uplink trusted

DHCP reservations (sometimes called static assignments or fixed-address) let you pin a specific IP address to a specific MAC address within the DHCP server itself. The device still goes through DORA — it gets the benefits of central management and DNS registration — but always receives the same address. This is preferable to truly static configuration on the device for servers and printers, because the address is tracked in one place.

DHCPv6 and SLAAC — IPv6 takes a different approach. Stateless Address Autoconfiguration (SLAAC) allows a device to construct its own global address by combining the /64 network prefix (advertised by the router via ICMPv6 Router Advertisements) with a host portion derived from its MAC address (EUI-64) or a random stable value (RFC 7217). No server needed.

DHCPv6 (RFC 3315 / RFC 8415) does exist and can provide a stateful assignment much like DHCPv4, but critically: DHCPv6 does not carry the default gateway — that still comes from Router Advertisements. Organisations often run both: SLAAC or DHCPv6 for the address, RAs for the gateway, and DHCPv6 options for DNS.

FeatureDHCPv4SLAACDHCPv6 (stateful)
IP address assignmentServerSelf (prefix + host bits)Server
Default gatewayOption 3Router AdvertisementRouter Advertisement
DNS serverOption 6Via RA (RDNSS option)Via DHCPv6 option
Central tracking / binding tableYesNoYes
Requires serverYesNoYes

PXE (Preboot Execution Environment) network boot uses DHCP to bootstrap diskless machines. The DHCP server returns two extra options in its ACK:

  • Option 66 / next-server (siaddr): the IP address of the TFTP server holding the boot image.
  • Option 67 / filename: the path to the bootloader (e.g. pxelinux.0) on that TFTP server.

The network card firmware reads these options, downloads the bootloader over TFTP, and hands off control — all before any operating system is loaded. Kubernetes cluster provisioning, OS imaging, and diskless thin-client environments all rely on this mechanism.

Level 5·Packet internals, edge cases, failure modes, and operational hard-won wisdom.

Deep dive

Packet format internals. A DHCP message is carried over UDP: the client sends from port 68 to port 67 (server). On the wire, DHCP reuses the older BOOTP packet format — the first 236 bytes are fixed fields (transaction ID xid, client MAC chaddr, giaddr, etc.) followed by a 4-byte magic cookie (0x63825363) and then variable-length options. The xid (a random 32-bit transaction ID) is critical: it lets the client correlate OFFERs and ACKs with its own DISCOVER and REQUEST, even in a broadcast environment where many transactions may be in flight simultaneously.

Option 82 (Relay Agent Information). When a relay agent forwards a DISCOVER to the server, it can insert Option 82, which encodes sub-options identifying exactly which physical port and VLAN the client arrived on. The DHCP server can use this to assign addresses from pool-per-port policies, and the binding table becomes more granular. Option 82 also makes starvation harder — forged MACs don't get past port-level policy.

Duplicate Address Detection (DAD). After receiving an ACK, a careful client sends an ARP probe (ARP request for the offered IP with sender IP = 0.0.0.0). If anything responds, the client declines the lease with a DHCPDECLINE and the server marks that address as in conflict. On IPv6, DAD is built into the spec and uses Neighbour Solicitation before committing any address — SLAAC or DHCPv6.

Lease database and split-scope HA. Enterprise DHCP servers (ISC Kea, Microsoft DHCP, Cisco) support high availability via failover protocols. Two servers share a pool: one is primary, one secondary. They replicate the binding database over a dedicated connection. On primary failure, the secondary waits for the Maximum Client Lead Time (MCLT) before assuming full control, to avoid issuing addresses the primary already allocated but hasn't replicated yet. Getting MCLT and load-balance percentages wrong is a common cause of duplicate-IP incidents during failover.

The split-brain failure mode

If the failover link between primary and secondary drops but both servers remain reachable by clients, you get a split-brain: both servers allocate from the full pool independently and hand out duplicate IPs. Always monitor the failover channel separately from the data path.

Pool exhaustion and sizing. A lease time that's too long means churning clients (laptops docking and undocking, conference phones) hold leases long after they've left. A lease time that's too short floods the server with renewals and risks brief disruption if the server is momentarily overloaded. Common rule of thumb: lease time about 2x the typical time between client disconnects. For a corporate LAN with nightly logoffs, 8–24 hours is typical; for a coffee-shop hotspot where devices turn over every hour, 1–2 hours is more appropriate.

Security — rogue server detection. Beyond DHCP snooping, some organisations run rogue DHCP detection tools (e.g., dhtest, passive monitoring of OFFER packets on a mirror port) to alert when an unexpected server responds. On Windows domains, authorisation via Active Directory adds a second layer: a Windows DHCP server that detects it is not authorised in AD will shut itself down.

DHCPv6 prefix delegation (PD). In home and ISP contexts, a customer router uses DHCPv6 with the IA_PD option to request a whole /48 or /56 prefix from the upstream ISP. The router then subdivides and delegates /64s to its internal interfaces via SLAAC RAs. This is how residential IPv6 connectivity works — the CPE router is simultaneously a DHCPv6 client (upstream) and a SLAAC RA server (downstream).

Troubleshooting checklist. When a device fails to get an address:

  • Is the DHCP server running? Check systemctl status isc-dhcp-server / kea-dhcp4.
  • Is the relay agent configured? Run show ip interface on the router; verify ip helper-address points to the right server.
  • Is the pool exhausted? Check show dhcp lease or server logs for "no addresses available".
  • Is DHCP snooping blocking something? Verify the uplink is marked trusted and check show ip dhcp snooping statistics.
  • Is a rogue server responding first? Capture with tcpdump -i eth0 port 67 or port 68 and inspect source MACs on OFFER packets.
  • Is the firewall between relay agent and server allowing UDP 67/68?
# Capture DHCP packets and show key fields
tcpdump -i eth0 -n -v 'port 67 or port 68'
Quick capture of DHCP traffic on Linux to debug the exchange
The one-paragraph summary

DHCP solves the impossible scale problem of manually assigning IP configuration to every device by automating it with a four-packet exchange (DORA) over UDP broadcasts — the client shouts into the network, the server offers an address from its pool, the client claims it, and the server confirms the lease. A lease carries the full IP stack configuration (address, mask, gateway, DNS, and arbitrary options), and two built-in timers (T1 at ~50 %, T2 at ~87.5 % of lease time) drive renewal before expiry. Relay agents (ip helper-address) bridge the broadcast/unicast gap so one central server can serve hundreds of subnets, while DHCP snooping on the switch layer is the primary defence against rogue servers and starvation attacks. IPv6 complicates things pleasantly: SLAAC lets devices self-assign from a router-advertised prefix with no server at all, while DHCPv6 handles the stateful cases — but the default gateway always comes from Router Advertisements, not DHCPv6.

Frequently asked questions

What is the difference between a static IP and a DHCP reservation?

A static IP is configured manually on the device itself and exists outside DHCP entirely. A DHCP reservation is configured on the server: the device still uses DHCP (full DORA exchange) but always receives the same IP because the server matches its MAC address. Reservations are preferred for managed infrastructure because the address is tracked centrally and the device benefits from DHCP-registered DNS updates.

Can two DHCP servers hand out addresses on the same subnet?

Yes, but you must be careful. If both servers share the same pool without a failover/split-scope arrangement they will hand out duplicate addresses. The correct approach is either a formal failover protocol (ISC DHCPd or Kea failover, Microsoft DHCP failover) or a manually split pool where each server owns a non-overlapping range.

What happens when a DHCP lease expires?

The client should have already tried to renew at T1 (~50 % of lease time) and rebind at T2 (~87.5 %). If both fail and the lease expires, the client releases the address, loses IP connectivity, and restarts the full DORA exchange. On most operating systems this triggers an immediate re-attempt rather than waiting, so the outage is brief — unless the server is genuinely down or the pool is exhausted.

Why do I get a 169.254.x.x address?

That is an APIPA (Automatic Private IP Addressing) address. Windows and macOS assign one automatically when DHCP fails — the device sent DISCOVERs, got no response, and self-assigned a link-local address so local communication can continue. It means your DHCP server is unreachable: check the server is running, the relay agent is configured, and there are addresses left in the pool.

Does DHCPv6 replace SLAAC for IPv6?

No — they coexist. SLAAC (driven by ICMPv6 Router Advertisements) is always responsible for distributing the default gateway. DHCPv6 can provide a stateful address assignment and additional options like DNS servers, but a network can run either SLAAC-only, DHCPv6-only, or both simultaneously. Router Advertisement flags (M and O bits) signal to clients which mode to use.

What is DHCP snooping and do I need it?

DHCP snooping is a switch-level feature that restricts which ports are allowed to send DHCP OFFER and ACK packets (trusted ports only). Without it, any device on your network can impersonate a DHCP server and redirect all traffic through an attacker's gateway. If you run a managed network with untrusted endpoints (corporate LAN, campus Wi-Fi, data centre), DHCP snooping should be considered a baseline security control.

Keep going

Subnetting and CIDRHow DNS worksNetworking track

ShellQuest turns concepts like this into bite-sized lessons, puzzles and labs you actually practise.

Join the waitlist