This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
Hi Microsoft Team,
We're investigating TunnelVision vulnerability and looking for remediation such as disabling DHCP option 121 on Windows.
google results are not promising, however, Microsoft may have a way to disable DHCP option 121 (like a registry flag) or some other means to ignore classless routes via DCHP.
Can you help us, please?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Unfortunately, there currently isn't a direct way to disable DHCP option 121 on Windows client machines.
Here's how to mitigate the TunnelVision vulnerability (CVE-2020-1472) instead:
Patch Windows machines. Ensure all systems have the latest security updates, including the May 2020 patches for TunnelVision.
Segment your network. Isolate critical systems on separate VLANs or use NAC to restrict device communication.
Enforce strong network security. Implement practices like least privilege access, firewalls, and IDS/IPS.
Harden your DHCP server (if applicable). Restrict who can receive option 121 and limit the number of static routes provided.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
To remove DHCP option 121, please kindly try below steps:
1.Open DHCP Management Console:
2.Navigate to the Scope Options:
3.Expand the DHCP server node and relevant scope.
4.Right-click on "Scope Options" and select "Configure Options".
5.Remove the Classless Static Route Option (Option 121):
6.In "Advanced" tab, disable option 121 by unchecking.
7.Apply and check if it works.
Best regards,
Jill Zhou
If the Answer is helpful, please click "Accept Answer" and upvote it.
May I know whether your issue has been solved or not? If not, please share it in here. We can work together to figure it out.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 9%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Hi Team,
This option of disabling DHCP 121 would be possible only when we manage DHCP server in our local office network. Lets say when someone accesses the office network from public (coffee shop) wifi network via VPN then how do we manage that local DHCP server.
Appreciate your timely response.
Regards
Gopi