DHCP option 121 on windows

Cristhian Angarita 0 Reputation points

Hi Microsoft Team,

We're investigating TunnelVision vulnerability and looking for remediation such as disabling DHCP option 121 on Windows.

google results are not promising, however, Microsoft may have a way to disable DHCP option 121 (like a registry flag) or some other means to ignore classless routes via DCHP.

Can you help us, please?

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,939 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. S.Sengupta 16,481 Reputation points MVP

    Unfortunately, there currently isn't a direct way to disable DHCP option 121 on Windows client machines.

    Here's how to mitigate the TunnelVision vulnerability (CVE-2020-1472) instead:

    Patch Windows machines. Ensure all systems have the latest security updates, including the May 2020 patches for TunnelVision.

    Segment your network. Isolate critical systems on separate VLANs or use NAC to restrict device communication.

    Enforce strong network security. Implement practices like least privilege access, firewalls, and IDS/IPS.

    Harden your DHCP server (if applicable). Restrict who can receive option 121 and limit the number of static routes provided.

    0 comments No comments

  2. Jing Zhou 3,435 Reputation points Microsoft Vendor



    Thank you for posting in Q&A forum.

    To remove DHCP option 121, please kindly try below steps:

    1.Open DHCP Management Console:

    2.Navigate to the Scope Options:

    3.Expand the DHCP server node and relevant scope.

    4.Right-click on "Scope Options" and select "Configure Options".

    5.Remove the Classless Static Route Option (Option 121):

    6.In "Advanced" tab, disable option 121 by unchecking.

    7.Apply and check if it works.


    Best regards,

    Jill Zhou


    If the Answer is helpful, please click "Accept Answer" and upvote it.

  3. Balasubramanian, Gopikrishnan 0 Reputation points

    Hi Team,

    This option of disabling DHCP 121 would be possible only when we manage DHCP server in our local office network. Lets say when someone accesses the office network from public (coffee shop) wifi network via VPN then how do we manage that local DHCP server.

    Appreciate your timely response.



    0 comments No comments