[SOLVED] /etc/ntp.conf 'pool' vs 'server' in 15.0 and Current

lazardo · 01-18-2024, 02:53 PM

In updating a gateway router running dd-wrt from DNS -> SmartDNS/DoT there is a time synchronization requirement, eg, if system clock is too far off it breaks.

This led to looking at formal NTP security models, all of which were rejected as too much effort and/or too few public NTS servers so ended up increasing the server count given ntp will manage discrepencies, and the impact of getting a rogue is negligible.

In 15.0, /etc/ntp.conf uses 'server 0.pool.ntp.org iburst' which does a one-shot DNS for each of the given servers, however, if the resolved server goes septic it is dropped but not replaced. 'pool' has a different behavior in that servers are replaced.

I changed 'server' to 'pool', and after 15 minutes, zero synchronization and zero error messages:

Code:

$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*127.127.1.0     .LOCL.          10 l   55   64  377    0.000   +0.000   0.000
 0.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 1.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 2.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 3.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000

After removing 'nopeer' from the 'restrict' options, it worked:

Code:

$ ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.0     .LOCL.          10 l 186m   64    0    0.000   +0.000   0.000
 0.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 1.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 2.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 3.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
+155.248.196.28  135.45.28.167    2 u  313  512  377   25.902   -0.987   0.754
+45.33.103.94    192.126.175.149  3 u  156  512  377   70.656   +0.665   0.405
*44.190.5.123    17.253.4.125     2 u   96  512  377   25.826   +0.199   0.589
-44.190.40.123   66.220.9.122     2 u  301  512  377   24.383   +1.143   0.484

Update: Current was in the subject as I mistakenly saw 'pool' in Current's /etc/ntp.conf
Note this is an always-on server that provides time service to the router and other LAN clients.

Caution: See replies 4 and 5 before adjusting your ntp.conf

Petri Kaukasoina · 01-18-2024, 04:11 PM

Quote:

Originally Posted by lazardo

In Current, /etc/ntp.conf uses 'pool 0.pool.ntp.org iburst'

Do you mean you have it like that? It's a commented out 'server' command in the sample ntp.conf in -current.

Quote:

Originally Posted by lazardo

After removing 'nopeer' from the 'restrict' options, it worked:

You could try adding a 'restrict source ...' line without nopeer, something like this:

Code:

restrict default limited kod nomodify notrap nopeer noquery
restrict source limited kod nomodify notrap noquery

See man ntp.conf, under 'restrict' command:

Code:

              nopeer Deny  unauthenticated packets which would result in mobi-
                     lizing a new association.  This  includes  broadcast  and
                     symmetric  active  packets  when a configured association
                     does not exist.  It also includes pool  associations,  so
                     if you want to use servers from a pool directive and also
                     want to use nopeer by default,  you'll  want  a  restrict
                     source ...  line as well that does not include the nopeer
                     directive.

lazardo · 01-18-2024, 04:18 PM

Quote:

Do you mean you have it like that? It's a commented out 'server' command in the sample ntp.conf in -current.

My diff was incorrect somehow, I'll update the post.

Thanks for the 'restrict source' pointer.

lazardo · 01-24-2024, 11:49 AM

Here is a working 'pool' vs 'server' diff based on 15.0 '/etc/ntp.conf.new'.

'pool' has been around for some time: https://community.ntppool.org/t/reco...er-in-ntp-conf

Cheers,

Code:

--- ntp.conf.new	2023-06-06 10:07:43.000000000 -0700
+++ /tmp/ntp.conf.pool	2024-01-24 09:40:10.000705270 -0800
@@ -17,10 +17,10 @@
 
 #
 # NTP server (list one or more) to synchronize with:
-#server 0.pool.ntp.org iburst
-#server 1.pool.ntp.org iburst
-#server 2.pool.ntp.org iburst
-#server 3.pool.ntp.org iburst
+pool 0.pool.ntp.org iburst
+pool 1.pool.ntp.org iburst
+pool 2.pool.ntp.org iburst
+pool 3.pool.ntp.org iburst
 
 #
 # Full path of a directory where statistics files should be created
@@ -69,6 +69,9 @@
 restrict default limited kod nomodify notrap nopeer noquery
 restrict -6 default limited kod nomodify notrap nopeer noquery
 
+restrict source  limited kod nomodify notrap        noquery limited
+tos maxclock 5 minsane 2
+
 #
 # Use these lines instead if you do want to serve time and stats to
 # other machines on the network:

metaed · 01-24-2024, 11:53 AM

See also: docs.slackware.com/howtos:network_services:ntp

lazardo · 01-24-2024, 12:07 PM

Very complete and uptodate howto.

I wonder why PV is still using the server model?

Petri Kaukasoina · 01-24-2024, 12:51 PM

They recommend a single pool command, not four:

Code:

pool pool.ntp.org iburst

lazardo · 01-24-2024, 01:38 PM

Side note for the security-minded.

Consider devices with hard-coded NTP, or that ignore DHCP offered NTP

Code:

IoT device -> gateway -> unknown server -> gateway -> time or malware

vs managed NTP

Code:

IoT device -> LAN NTP server -> time

Given a designated LAN-based NTP server, you may want to an experiment on your gateway by redirecting outbound udp port 123 to your NTP server, something like this dd-wrt specific example:

Code:

iptables -I PREROUTING -t nat -i br0 -p udp ! -s <NTP server IP> --dport 123 -j DNAT --to <NTP server IP>

Code:

if packet is outbound udp port 123 and not LAN NTP server, redirect to LAN NTP server

Common offenders: roku, appletv, webcam et al. Could be phone-home mechanism similar to hard coded DNS/DoH. Small-brained deivces typically have no resources for ntp/chrony or battery-backed nvram, and so make a lot of updates.