The issue is that it can give out duplicate addresses that are not sync'd up to the main server, give out addresses and gateway addresses that are not reachable through your main router etc, luckily it will not cause a lot of issues right away but when leases renew or new devices are plugged into the network it opens possibilities for devices to get leases from the rouge DHCP server.
Detecting rouge DHCP servers
One of the ways to help prevent Rouge DHCP-servers from causing issues is to set up an alert so you know when there is a rouge DHCP connected to the network. This will be set up in your DHCP server by going to IP>DHCP-Server then going to the alerts tab and hitting the plus button
In the alert configuration you will need to set the interface to the bridge or interface that has the valid DHCP server running on it, the Alert Timeout can be changed to what you prefer, just note that the alert timeout is how long it will hold on to the 1 alert trigger before it will be forgotten then is able to generate a new alert.
Take for example the settings in the screenshot, if the alert picks up a rouge DHCP server twice within 5 seconds it will only send out 1 email but if it detects one out side of the initial 5 seconds it will send out another email and so on.
The last past we have to configure in here is the On Alert section, this is what will be run once per alert and it is just a router OS script that you put in here so you are able to notify yourself an a number of ways like using emails or sms.
The example we are using here is to send an email:
/tool e-mail send from="email address your sending this from" password="password for the email account" server="email server FQDM or IP address" body=("Detected a rogue DHCP server on the LAN with MAC address ". [/ip dhcp-server alert get LAN-Bridge unknown-server]) subject="ROGUE DHCP SERVER ALERT" to="email address you would like the alert to go to"
Preventing DHCP servers access locations
The second thing you can do is stop rouge DHCP servers using the bridge filters functionality, like the IP>firewall Filter> the bridge> bridge filters is able to drop, accept and even mark a packet packet or the priority for a packet depending on what the traffic is or where it is going.
In the example configuration below we will be using the bridge filters to target the DHCP offers and drop anything that is not coming in from the upstream interface(ether 1 in this case).
This configuration would be applied on an 'access' router or switch were people can access it and plug devices into, rather than a distribution switch or router that links the access and gateway devices together.
The filter below will only be dropping the offers going upstream so if there is a DHCP server on one access switch all devices on the same access switch will be effected by it but all the other device's on the network should be ok, in addition to this the upsteam DHCP server will no longer detect the rouge DHCP server behind the access switch as the packets will be getting blocked before it can go upstream :)
/interface bridge filter
add action=drop chain=forward dst-address=0.0.0.0/0 dst-port=68 in-interface=!ether1 ip-protocol=udp log=yes log-prefix=dhcp-blocked mac-protocol=ip src-address=0.0.0.0/0 src-port=67