The scan is now fully-multithreaded and the global timeout is 10 seconds. I have a lack of local DHCP servers in my hotel WiFi, however, I set up a local dnsmasq on my laptop and the scan picked up both the AP's DHCP server as well as my new local one. I've seen that the local dnsmasq DHCP often (but not always!) needs a few seconds until it replies.
@deHakkelaar This may explain why you've seen sometimes one, sometimes more DHCP servers. Please try again.
I've also found that my local dnsmasq very well responds to broadcast messages, so no need to send to the interface's local address in my case:
dnsmasq-dhcp: DHCPDISCOVER(wlp4s0) xx:xx:xx:xx:xx:xx
dnsmasq-dhcp: DHCPOFFER(wlp4s0) 192.168.3.191 xx:xx:xx:xx:xx:xx
dnsmasq-dhcp: no address range available for DHCP request via lo
dnsmasq-dhcp: DHCP packet received on enp0s25 which has no address
You can see here that dnsmasq received requests on all three interfaces my laptop has (we also try to discover on unconfigured interfaces!). However, it is not configured to serve addresses in the 127.0.0.1/8 range, and there is no cable in enp0s25 so this interface is completely down. Everything seems 100% correct here.
edit:
I also added these for you. I picked what my DHCP servers do, so far, because I didn't feel like adding all the 200+ possible options which may never be seen in the wild.