Port 647 carries the DHCP Failover Protocol, a mechanism that keeps two DHCP servers in sync so either one can take over if the other fails. Every device on a network needs an IP address. If the DHCP server goes down, new devices can't join and existing leases can't renew. Port 647 exists to prevent that single point of failure.
What DHCP Failover Does
DHCP servers hand out IP addresses to devices on a network. But what happens when that server crashes, loses power, or becomes unreachable? Without failover, devices lose connectivity. New devices can't join. The network breaks.
DHCP Failover solves this by running two servers—primary and secondary—that maintain a persistent TCP connection on port 647. They continuously exchange:
- Lease information — Which IP addresses have been assigned to which devices
- Operational state — Whether each server is functioning normally, communicating, or in failover mode
- Binding updates — Real-time synchronization when leases are granted, renewed, or released
If the primary server fails, the secondary already has all the lease information and takes over immediately. Devices keep their IP addresses. The network stays up.
How It Works
The two DHCP servers establish a TCP connection on port 647 and maintain it continuously. This isn't occasional polling—it's a persistent heartbeat. Each server monitors the other's operational state.
When a client requests an IP address:
- The active server (usually primary) responds to the DHCP request
- It assigns an IP address from its available pool
- It immediately sends a binding update to its partner over port 647
- The partner acknowledges and stores the lease information
Both servers now have identical lease databases. If the primary fails, the secondary detects the lost connection and transitions to active mode. From the client's perspective, nothing changed—their IP address is still valid, their lease is still tracked, and they can renew when needed.
The Draft That Never Died
Here's the strange part: The DHCP Failover Protocol for IPv4 was never officially standardized. It exists as draft-ietf-dhc-failover-12, last updated in March 2003. The draft expired. It was never published as an RFC.
And yet it's been running in production networks for over twenty years.
Microsoft implemented it in Windows Server 2012. ISC DHCP implemented it. Cisco implemented it. The protocol works, networks depend on it, and the fact that it never became an official standard doesn't matter to the servers maintaining connections on port 647 right now.
DHCPv6 eventually got its official standard with RFC 8156 published in June 2017, but IPv4 failover remains in draft limbo—widely deployed, fully functional, technically unofficial.1
Port Evolution
Interestingly, port 647 wasn't always the standard. Early implementations of DHCP failover used ports 519 and 520. As recently as 2005, the dhcpd.conf man page showed those ports in failover examples. But by the mid-2000s, TCP port 647 had emerged as the de facto standard binding for the primary server (with port 847 sometimes used for the peer).2
IANA officially assigned port 647 to "dhcp-failover," cementing what had already become common practice.
Security Considerations
Port 647 carries the entire lease database between servers. An attacker with access to this traffic could:
- See which IP addresses are assigned to which MAC addresses
- Potentially inject false binding updates to cause IP conflicts
- Disrupt the failover mechanism itself
Best practices:
- Restrict port 647 to communication only between the two DHCP failover partners
- Use firewall rules to block port 647 from all other sources
- Place DHCP servers on a trusted network segment
- Consider using IPsec or another encryption method for the failover connection
- Monitor the failover connection for unexpected interruptions
The failover protocol itself doesn't include built-in encryption. Security depends on network segmentation and access control.
Checking What's on Port 647
To see if DHCP failover is running on your system:
Linux:
Windows:
You should see a TCP connection in ESTABLISHED state between your two DHCP servers. If the connection is down, failover isn't working.
Related Ports
- Port 67 — DHCP server (UDP) - where clients send requests
- Port 68 — DHCP client (UDP) - where servers send responses
- Port 847 — Sometimes used as the peer port for DHCP failover
- Port 4011 — DHCP failover load balancing (less common)
Why This Matters
DHCP is invisible infrastructure. When it works, nobody notices. When it fails, the entire network notices.
Port 647 exists so that failure doesn't happen. Two servers watching each other, sharing every lease, ready to take over at any moment. The connection on port 647 is the safety net for every IP address on your network.
The protocol was drafted in 2003 and never officially standardized. It doesn't matter. It works. It's running right now in hospitals, datacenters, universities, and office buildings around the world. The formal RFC status is irrelevant to the servers keeping the network alive.
That's port 647. The failover heartbeat. The redundancy you hope you never need, and the reason you don't notice when you do.
Frequently Asked Questions About Port 647
Nakatulong ba ang pahinang ito?