Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NTP DHCP Option - use FQDN instead of IPs

Hello,

can i setup the DHCP Option for NTP time server using a FQDN which the firewall resolves via FDQN Object rather then using a bunch of IPs?

As these pools are quite big i wanted to cover it via FQDN and a access policy towards WAN.


DHCP Advanced Option Number 4 - FQDN

Firewall Access Policy - LAN -> WAN -> FQDN Object -> NTP 123 UDP


thanks

armin

Category: Firewall Management and Analytics
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    @ArminF RFC2132 is very clear on Option 4, it's a list of 32bit Value, aka IPv4 Addresses only. Same goes for Option 42 which is related too.

      The time server option specifies a list of RFC 868 [6] time servers
       available to the client.  Servers SHOULD be listed in order of
       preference.
    
       The code for the time server option is 4.  The minimum length for
       this option is 4 octets, and the length MUST always be a multiple of
       4.
    

    I don't use any pool.ntp.org any longer, because of their open nature. Something critical like NTP needs to be looked at more critical.

    --Michael@BWC

Answers

  • ArminFArminF Newbie ✭

    Thanks @BWC !

    I will try to use a local IP and see if i can route this to some external NTP servers.

    Agree on your statement with NTP. I use the TZ270 at home and migrated from an OPNSense which had an internal NTP server.


    Have a sunny Sunday.

    cheers Armin

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Your internal infrastructure should (and likely does if its Microsoft Active Directory) provide NTP services.

    Even the NTP pool operators say not to use the top level 'pool.ntp.org'. You should be using something geographically closer, like us.pool.ntp.org or north-america.pool.ntp.org.

    @BWC can you elaborate on your distrust of NTP pools open-ness? Pretty much every major vendor uses a public NTP pool or has their own...

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @TKWITS sorry for the late response, I enjoyed a few days off in the beautiful Alps of Tirol (Austria) :)

    I might be a bit paranoid on that topic, but because anyone can register a system to pool.ntp.org I tend to avoid them these days. Having europe.pool.ntp.org enabled for example, connects to systems in countries I usually block via Geo-IP, so no need to trust them for something critical like NTP. I could use de.pool.ntp.org instead, but can I trust them?

    Therefore I use only NTP systems with a known reputation or running a hardware based Time Source on-prem.

    I remembered an old thread of mine, complaining about DNS Requests on Gen7, it seems SNWL is using a recommended system after all, don't know if this is done globally.

    --Michael@BWC

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    @BWC No worries, I had a few days off due to COVID... Thanks for the link to the RIPE article.

Sign In or Register to comment.