NTP through DNS?

Mauricio Tavares raubvogel at gmail.com
Wed Sep 19 15:16:34 UTC 2018 

On Wed, Sep 19, 2018 at 11:12 AM, Andrew Latham <lathama at gmail.com> wrote:
> Additionally you may route all outbound requests for NTP to a local source
> found from an DNS lookup.
>
> Benefits could be:
> * Control of time sources (correct a hardcoded address that is no longer
> valid)
> * Mitigate attack vectors
> * Mitigate bufferbloat

Wait! There is more!

   * Provide NTP for hosts which cannot reach the outside world
   * Keep Kerberos happy as the NTP server is not far.
>
> DNS is an important piece to this puzzle and SRV records can be useful when
> devices support them. It does not hurt to add the SRV records for common
> services.
>
> On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares <raubvogel at gmail.com>
> wrote:
>>
>> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham <lathama at gmail.com> wrote:
>> > You can add SRV records for NTP to your domain if that is what you are
>> > asking.
>> >
>>       Thanks. I was trying to query for it using dig and then realized
>> I did not know if that is doable.
>>
>> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman <muks at mukund.org>
>> wrote:
>> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
>> >> Stupid question: can I publish/query the NTP server through DNS the
>> >> same way I can ask who is doing LDAP?
>> >
>> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> > one off my mind).
>> >
>>       Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
>>
>> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
>> > and 10.98.0.5 as the NTP server:
>> >
>> > subnet 10.98.0.0 netmask 255.255.0.0 {
>> >        ...
>> >        option ntp-servers 10.98.0.5;
>> > }
>> >
>> > and perhaps also use "tcode" and "time-offset" options to set the
>> > timezone.
>> >
>> > But a real bummer is that some DHCP clients (e.g., Android phones) do
>> > not make use of this option, and don't even provide a config setting to
>> > do so. IIRC they synchronize time via the cell phone signal.
>> >
>>       Add Windows devices to the list.
>>
>> >                 Mukund
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> - Andrew "lathama" Latham -
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list