1

DHCP Frequent Retransmissions

Description: Repeated DHCPDISCOVER or DHCPREQUEST messages observed from a given client within a short time period.

 

Cause: Retransmission occurs when the DHCP client isn't receiving a response from a server in a timely fashion. This may be because the client's message isn't reaching the server, because the server isn't configured to provide leases for the client subnet, or because the subnet has been exhausted of free leases. Retransmissions can also occur when the DHCP client is receiving a DHCPOFFER for a lease it can't accept: for example, the offer may be missing DHCP options critical to the device's operation, such as vendor-specific information (option 43), or options specifying where the device can load a boot image and/or configuration file.

 

Remedy: Determine whether any responses from a DHCP server to the client are seen on the wire. If no responses are observed, verify that the DHCPDISCOVER or DHCPREQUEST are reaching the appropriate DHCP server(s). Check the logs of the DHCP server(s) to verify the server is seeing the message(s) and for a reason why it may not be sending a response. Check the configuration of the DHCP server(s) to ensure they're configured to serve leases for the client's subnet, and verify that DHCP relay(s) are correctly configured on the router(s) in the DHCP client's local subnet. If responses are observed, check the logs of the DHCP client(s) for a reason why the client may be rejecting the lease, and verify that the necessary DHCP options for the client are properly configured on the DHCP server(s).

2

DHCP Low Lease Time

Description: The client has been offered an IP address lease in which the lease time is at or below the threshold.

 

Cause: The DHCP server’s lease time is configured “too low.”

 

Remedy: Consider an appropriate lease time for your environment, taking into consideration the number of fixed (desktop) nodes, static (server and router) nodes, mobile (laptop wired and wireless) nodes, and the available IP address space for each subnet.

3

DHCP Request Rejected

Description: DHCP Request has been rejected by a DHCP server.

 

Cause: A client is booting and attempting to renew an IP address that has already been reallocated, or the client has moved to a different subnet and the IP address was statically configured in the DHCP server.

 

Remedy: Ensure that there are adequate IP addresses to be dynamically allocated and consider reducing the lease time. Check to see if the client has moved and if its IP address has been statically assigned at the DHCP server to its physical address.

4

DHCP Request Storm

Description: A high count of DHCP addresses are being requested.

 

Cause: A DoS attack may be in progress with a utility like gobbler, which requests as many DHCP addresses as possible. This blocks legitimate requests from being fulfilled.

 

Remedy: Disable the machine if it is accessible. If the machine is not accessible and your switch allows port blocking, block DHCP port traffic on that switch port.

5

DHCP Slow Response Time

Description: Slow response time from a DHCP server to a DHCPDISCOVER or DHCPREQUEST message from a client.

 

Cause: May be caused by unusual network latency or by the DHCP server itself. The DHCP server may simply be overloaded. Depending on the DHCP server type and configuration, the server may be delayed by (e.g.) attempting to perform dynamic DNS updates on behalf of the DHCP client. DHCP servers can also be configured in a fallback scenario to intentionally delay their response to requests: the expectation is that, in normal operation, another DHCP server (configured without such a delay) should respond to clients.

 

Remedy: Determine where the delay is being introduced: on the wire due to latency or network issues from client to server or server to client, or at the DHCP server between the time a message is received and a response is being sent. If the delay is on the wire, perform normal diagnostics of the network path. If at the DHCP server, check the load on the DHCP server. Review the logs of the DHCP server, correlate the inbound request and response, and look for unusual log messages between the two, possibly relating to dynamic DNS. Check the configuration of the DHCP server to see if a delayed response has been configured by intent or accident.

6

DNS Frequent Retransmissions

Description: Same DNS query, with same transaction ID, repeatedly issued by a client within a short time period.

 

Cause: Caused when the DNS client doesn't receive a (timely) response to a DNS query, and attempts to re-send the same query. May be caused by incorrect DNS resolver configuration on the client, packet loss or network issues between client and server (in either direction), or an overloaded or misconfigured DNS server.

 

Remedy: Determine whether this is an intermittent or consistent problem for a given client or server. If intermittent, investigate whether latency or packet loss are occurring on the network path, and investigate the load on the DNS server(s). If consistent, check the load on the DNS server, and check the configuration and logs of the DNS server(s) to see if the server is actively ignoring requests from the client(s) due to (e.g.) an ACL or other configuration issue.

7

DNS Idle Too Long

Description: The DNS connection has been idle for longer than the configured threshold.

 

Cause: The request is to a caching DNS server that may have to look it up from an Authoritative DNS server, or the network may be congested or have a high round-trip delay from the client or between DNS servers. The DNS request may have been lost due to a congested network. The request may be to a caching DNS server that needs to look it up from an Authoritative DNS server. A malicious actor may also use an unanswered DNS request to beacon to a Command and Control server or to exfiltrate data in the payload.

 

Remedy: Ensure the DNS server is pingable and not overwhelmed. Check the contents of the DNS request to ensure it is not malicious.

8

DNS Query Format Error

Description: A DNS server sent a Format Error (FORMERR) in response to a DNS request, indicating the request was malformed or not understood.

 

Cause: Format Errors can be caused by corruption or manipulation of requests in transit from DNS client to server. If Format Errors are consistently observed in response to queries from the same DNS client(s), the client(s) may be sending problematic requests to the DNS server: the requests may literally be malformed, or they may use a feature (e.g. EDNS) unsupported by the DNS server.

 

Remedy: Determine why the Format Errors are occurring. If a persistent network issue, address the source of corruption or manipulation. If specific client(s) are consistently receiving Format Errors, determine whether the issue is a misbehaving client or (e.g.) an outdated server that does not support DNS extensions required by those client(s).

9

DNS Server Failure

Description: A DNS server sent a Server Failure (SERVFAIL) error in response to a DNS request, indicating the server could not process the request.

 

Cause: The Server Failure error is a catch-all error returned when a DNS server is unable to respond to a request for any reason outside of the more specific standard errors such as FORMERR (query format error), NOTIMP (function not implemented), or REFUSED (request/access denied). Because of this, it's impossible to define a generic cause for a Server Failure error. That said, probably the most common cause of Server Failure errors is an inability of the DNS server to communicate with other DNS servers to retrieve information required to answer the query. For example, a Secondary DNS server may have been unable to receive a Zone Transfer from its Primary, a Recursive DNS server may be unable to route to the Internet, or a Forwarding DNS server may be unable to contact any of the configured forwarding targets.

 

Remedy: Check the connectivity of the DNS server returning Server Failure errors to ensure that it can reach all necessary upstream servers. Check the logs of the DNS server returning Server Failures to discover the specific reason why a Server Failure is being returned.

10

DNS Server Refused Query

Description: A DNS server sent a Refused (REFUSED) error in response to a DNS request, indicating the server refused to service the request.

 

Cause: The Refused error is returned when a DNS server is asked by a client to perform an operation that is disallowed by a configured policy. Common causes are denial due to explicit allow-query ACLs, recursive queries being sent to an authoritative-only server, requesting a full (AXFR) or incremental (IXFR) zone transfer without permission, or attempting to perform a dynamic DNS update without permission.

 

Remedy: Determine whether the request being Refused should or should not be allowed. If the operation should be allowed, modify the configuration of the DNS server to permit the operation. If the operation is being correctly denied, investigate the client(s) to determine why they attempted to perform a disallowed action.