What is DHCP Fingerprinting?

What is DHCP and how does it work?

Dynamic Host Configuration Protocol, or DHCP, is a protocol that automatically assigns IP addresses to devices connected to a network. Every device on a network needs an IP address; that’s how traffic knows where to go. Without DHCP, your network administrator would have to manually assign an IP to each device, which means in a large network that would pretty much be their entire job. Thankfully, setting up a DHCP server means it can be done automatically.


When your device joins a network, it sends out a broadcast request; a DHCP server that is listening on the network will respond and give it an available IP address. This happens using a process called DORA:

Discover: The new clients will send out broadcast message looking for a DHCP server.
Offer: The DHCP server will respond to the client with an IP address it can use
Request: The client will tell the server it accepts the offered IP
Acknowledge: The DHCP servers will acknowledge that the IP was accepted.

If there were an actual conversation, it would look like this:

Client: Hello! Any DHCP servers out there? I need an IP!
DHCP Server: Hello! Yes! I am a DHCP server! You can use!
Client: Thank you! I will start using!
DHCP Server: Great! I’ll list you as from now on!

There can be multiple DHCP servers on one network if there is a high volume of requests.

What is fingerprinting?

Fingerprinting, in terms of cybersecurity, means collecting information to identify something on the network – a device, a protocol, a software package, etc. Often times it’s harder than you think to identify specific devices on your network – there are some common monitoring protocols, but not every device supports them (IoT devices, in particular, present a challenge.)  Many websites use browser fingerprinting, partially to tell you if the browser you’re using might not work properly, and also so they can track the demographics of their site visitors. Sometimes it makes sense to keep things hidden in case someone wants to use this information for nefarious purposes. For instance, if you’re using a version of IIS on your website that has a known vulnerability, a hacker would want to be able to detect any website running on that particular version of IIS to exploit it.

What is DHCP fingerprinting?

DHCP fingerprinting is a method of using DHCP requests to identify information about a device, like device type (laptop, phone, tablet, etc.) and other things like manufacturer, operating system, and firmware. As we discussed above, DHCP requests are made from devices already joined to your network – therefore, assuming your network has not already been breached, it’s not subject to outside influences trying to glean information for nefarious purposes.

As we discussed earlier, the DORA process is how new network devices find the DHCP server, but as it turns out, they also provide some information about themselves when they do it – like their MAC address, which can be used to determine information about the device manufacturer.  DHCP also has the ability to ask for more information about the device using something called option 55, which requests a list of additional parameters in the course of the DORA request format.  The information contained here, and the way the device responds, provides additional information that can be used to tell what kind of device is responding. For instance, only Microsoft devices respond to parameter request list item 249, and parameter list item 43 is a vendor class identifier that will tell you who manufactured the device.

trust zeroes in on the security of applications by integrating the core principles of zero trust into every aspect of application access and interaction. This method demands a meticulous verification process for both users and devices each time an application is accessed, effectively compartmentalizing and securing each application as though it were an isolated fortress. By doing so, it significantly narrows the opportunities for unauthorized entry and mitigates the risk of threat actors navigating laterally within the network, from one application to another. This approach leverages dynamic authentication and rigorous access controls tailored to the unique requirements and sensitivity levels of individual applications. It places a strong emphasis on evaluating the security posture of accessing entities in real-time, ensuring that each session is initiated under the strictest security measures. Application zero trust thereby extends the zero trust philosophy into the granular realm of application security, providing a sophisticated layer of protection that adapts to the complexities of modern application ecosystems. This strategy is particularly pertinent in environments where applications are dispersed across cloud and on-premise infrastructures, requiring a nuanced approach to security that traditional perimeter-based defenses cannot offer. Through application zero trust, organizations can achieve a more refined, application-centric security posture that aligns with the overarching goals of zero trust architecture.

Does a VPN prevent fingerprinting?

No. VPNs do a lot to keep you safe, the main one being masking your IP address from the outside world.  However, they will absolutely not stop you from being fingerprinted via DHCP.  The initial DORA request includes the device MAC address which will get you at least as far as the device manufacturer in most cases. Even if you spoof the MAC address, the parameters in option 55 will likely give your device away with a high degree of accuracy. The good news, though, is that DHCP requests are generally contained within your own network; they don’t usually go across the public internet. So, someone would have to specifically breach your DHCP server to get access to that information, and if that happens, you’ve likely got bigger problems than your devices being fingerprinted.