What protects against unauthorized DHCP responses on a network?

DHCP Snooping is a security feature that acts as a firewall between untrusted hosts and trusted DHCP servers. It helps to prevent man-in-the-middle attacks by filtering out potentially malicious DHCP responses from unauthorized servers. By allowing only DHCP messages from trusted sources, DHCP Snooping effectively ensures that only legitimate IP address assignments are made to devices on the network.

This feature maintains a binding table of valid IP-to-MAC address pairs and the corresponding interfaces, creating a controlled environment where dynamic IP addressing occurs safely. It typically works in tandem with other security measures, such as Dynamic ARP Inspection and IP Source Guard, which complement the protection of the network from DHCP spoofing attacks and other threats.

In contrast, the other options do not provide specific measures against unauthorized DHCP responses. For example, ARP Poisoning relates to the manipulation of ARP messages, which is separate from DHCP processes. Dual Stack refers to the capability of a network to handle both IPv4 and IPv6 simultaneously and does not address DHCP security specifically. A router itself, while crucial for delivering and managing network traffic, does not inherently protect against unauthorized DHCP responses unless specifically configured to implement DHCP Snooping or similar protective measures.