filo/DigitalVision Vectors via G

Answer

Why does DHCP use ports 67 and 68?

DHCP servers use port 67/udp to receive requests and send responses, while DHCP clients use port 68/udp to broadcast discovery messages and receive configuration data.

Damon Garn, Cogspinner Coaction

Published: 16 Jul 2025

Dynamic Host Configuration Protocol plays a critical role on your network. It enables client devices, such as workstations, tablets and smartphones, to lease IP address configurations. DHCP frees administrators from this tedious and error-prone task.

The DHCP lease generation process consists of four steps and is initiated by the client system:

Discover. The DHCP client broadcasts for a DHCP server.
Offer. The DHCP server responds by broadcasting an IP address offer.
Request. The DHCP client broadcasts a formal request to use the offered IP address.
Acknowledge. The DHCP server finalizes the lease by acknowledging the client's request.

Clients periodically renew the configuration by completing steps three and four before the lease expires.

Like other network services, DHCP relies on numbered application layer ports to provide connectivity. Whereas Secure Shell (SSH) uses port 22/tcp, HTTP uses port 80/tcp and HTTPS uses port 443/tcp, DHCP relies on ports 67/udp and 68/udp.

Many administrators also rely on Preboot Execution Environment (PXE) communications to deliver boot information to devices as part of remote OS installation or thin client configuration. PXE begins this process by using DHCP before relying on Trivial FTP and other services.

Managing DHCP ports 67 and 68 is crucial to enable fundamental client configurations in your network environment. This article explores these two ports and provides troubleshooting tips for managing them effectively.

DHCP works between a client and server using the DORA lease generation process. — The four-step DHCP lease generation process

What are the DHCP ports?

In the first step of the DHCP lease generation process, client devices broadcast a Discover message targeting port 67. The DHCP server listens for such broadcasts on this port.

Server responses target client port 68. Client devices rarely have an assigned well-known port, but it's essential in this case because the clients don't yet have a unique IP address.

The DHCP service uses the following ports:

Client-to-server DHCP communications target server port 67.
Server-to-client DHCP communications target client port 68.

What is DHCP port 67?

Each service listens on a well-known and unique port number to avoid communications conflicts and confusion. The DHCP service software on your server or router listens for inbound DHCP traffic on port 67/udp in the same way that an HTTP service listens on port 80/tcp or SSH listens on port 22/tcp.

Screenshot showing a Windows server listening on port 67 — This Windows server listens on port 67, indicating it's a DHCP server.

The DHCP Discover and DHCP Request steps of the lease generation process target the listening server's port 67/udp. The TCP/IP stack sends DHCP communications to the DHCP service software based on this port number.

What is DHCP port 68?

The client's TCP/IP stack directs inbound DHCP Offer and DHCP Acknowledge communications to the DHCP client software based on connections to port 68/udp.

DHCP clients do not yet have a unique IP address configuration. After all, that's the whole purpose of this DHCP communication. All connectivity during the four-step lease generation process is based on broadcast. Assigning well-known port 68 to client systems ensures the DHCP response reaches the DHCP client software. If it used a random port, as with most other client applications, there would be a significantly higher risk of conflicts or non-DHCP applications attempting to process DHCP messages.

Once the four-step lease generation process is complete, the client devices have a full IP address configuration, making traditional network unicast connectivity with other services possible.

Troubleshoot DHCP ports 67 and 68

Most DHCP problems are related to either the firewall or service configuration. Overall, DHCP is a relatively hassle-free service. It's old, reliable and simple. However, issues happen sometimes.

First, DHCP relies on the transport layer User Datagram Protocol (UDP). Many other critical services use TCP instead. However, because DHCP client devices don't have a complete identity yet, TCP handshakes and packet loss mitigation aren't possible.

Begin troubleshooting by looking at the firewall and checking the following:

Avoid blocking port 68/udp on client systems.
Avoid blocking port 67/udp on DHCP server systems.
Avoid blocking ports 67/udp and 68/udp on firewalls or other security appliances.
Avoid misconfiguring DHCP rules by specifying TCP rather than UDP.

Most modern OSes handle these ports for you.

Screenshot showing configuration on Linux firewall to permit DHCP — Configure the Linux firewall to permit the DHCP service.

Firewall configurations are one concern, but the DHCP service itself might also cause challenges. Consider the following troubleshooting opportunities:

DHCP service is started.
DHCP service is listening on the correct interface.
DHCP scope is enabled.
DHCP scope has available IP addresses to lease.
Review log files related to DHCP.

Assuming DHCP is properly configured, look for other possible problems, including the following:

Custom applications might be misconfigured to use ports 67/udp and 68/udp.
Be sure the DHCP scope does not overlap with static IP addresses or reserved IP settings.

You might also find standard network troubleshooting tools to be helpful, such as the below:

Nmap to scan for DHCP services and port 67/udp.
Nmap to scan for DHCP clients on port 68/udp.
Wireshark or tcpdump to intercept DHCP communications.

Many routers block DHCP communications between subnets because the lease generation traffic uses broadcasts. In other words, DHCP servers and clients that reside on separate networks require additional configuration for the service to function correctly. This approach normally involves the use of DHCP relay agents or specific router settings.

Best practices for managing DHCP ports 67 and 68

DHCP is typically a set-it-and-forget-it service. Client and server devices usually configure it as a standard service. However, it's crucial to ensure that ports 67/udp and 68/udp ports are available and not blocked by a firewall or other security settings.

Be prepared to check the following settings to ensure the service works correctly:

Firewall rules.
Service configuration and availability.
Log files.
Client device settings.

Use these practices to provide efficient and reliable DHCP services to your clients today.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.

Why does DHCP use ports 67 and 68?

DHCP servers use port 67/udp to receive requests and send responses, while DHCP clients use port 68/udp to broadcast discovery messages and receive configuration data.

What are the DHCP ports?

What is DHCP port 67?

What is DHCP port 68?

Troubleshoot DHCP ports 67 and 68

Best practices for managing DHCP ports 67 and 68

Dig Deeper on Network management and monitoring

How to avoid duplicate IP addresses in a network

15 common network protocols and their functions explained

How to troubleshoot DHCP issues

The steps and benefits of DNS service audits

Related Q&A from Damon Garn

How to choose coding standards: Development best practices

How to test packet loss on Windows, macOS and Linux

Recursive vs. iterative DNS queries: What's the difference?