I don’t know if there’s any pre-built scripting out there (yet) for this but it’s relatively straight forward in Windows to use powershell and either look in the registry for the assigned dhcp options ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options) or check the routing table for illogical routes.
Another possibility is to grab the dhcp test tool from Github, run it in non-interactive mode and then parse it’s output. Something I find VERY interesting is that Andrey Baranov specifically added Option 121 to that tool in March of 2023!
With any of those it’s a matter of what you want to have happen when you detect the problem such as warning the user and disconnecting the vpn or attempting to mitigate the problem by reconfiguring the routing table.
I should point out that Option 121 is a legit thing and it does have valid uses so you can’t assume something nefarious just because it’s being used.
I’ll probably be scripting up a remediation over the next few days, I’ll try and remember to come back and share what I did.
I don’t know if there’s any pre-built scripting out there (yet) for this but it’s relatively straight forward in Windows to use powershell and either look in the registry for the assigned dhcp options ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options) or check the routing table for illogical routes.
Assuming that you aren’t using split tunneling you could also have powershell check your external IP address for the expected result.
Another possibility is to grab the dhcp test tool from Github, run it in non-interactive mode and then parse it’s output. Something I find VERY interesting is that Andrey Baranov specifically added Option 121 to that tool in March of 2023!
With any of those it’s a matter of what you want to have happen when you detect the problem such as warning the user and disconnecting the vpn or attempting to mitigate the problem by reconfiguring the routing table.
I should point out that Option 121 is a legit thing and it does have valid uses so you can’t assume something nefarious just because it’s being used.
I’ll probably be scripting up a remediation over the next few days, I’ll try and remember to come back and share what I did.