NTP DHCP Option - use FQDN instead of IPs
Hello,
can i setup the DHCP Option for NTP time server using a FQDN which the firewall resolves via FDQN Object rather then using a bunch of IPs?
As these pools are quite big i wanted to cover it via FQDN and a access policy towards WAN.
DHCP Advanced Option Number 4 - FQDN
Firewall Access Policy - LAN -> WAN -> FQDN Object -> NTP 123 UDP
thanks
armin
Best Answer
-
BWC Cybersecurity Overlord ✭✭✭
@ArminF RFC2132 is very clear on Option 4, it's a list of 32bit Value, aka IPv4 Addresses only. Same goes for Option 42 which is related too.
The time server option specifies a list of RFC 868 [6] time servers available to the client. Servers SHOULD be listed in order of preference. The code for the time server option is 4. The minimum length for this option is 4 octets, and the length MUST always be a multiple of 4.
I don't use any pool.ntp.org any longer, because of their open nature. Something critical like NTP needs to be looked at more critical.
--Michael@BWC
0
Answers
Thanks @BWC !
I will try to use a local IP and see if i can route this to some external NTP servers.
Agree on your statement with NTP. I use the TZ270 at home and migrated from an OPNSense which had an internal NTP server.
Have a sunny Sunday.
cheers Armin
Your internal infrastructure should (and likely does if its Microsoft Active Directory) provide NTP services.
Even the NTP pool operators say not to use the top level 'pool.ntp.org'. You should be using something geographically closer, like us.pool.ntp.org or north-america.pool.ntp.org.
@BWC can you elaborate on your distrust of NTP pools open-ness? Pretty much every major vendor uses a public NTP pool or has their own...
@TKWITS sorry for the late response, I enjoyed a few days off in the beautiful Alps of Tirol (Austria) :)
I might be a bit paranoid on that topic, but because anyone can register a system to pool.ntp.org I tend to avoid them these days. Having europe.pool.ntp.org enabled for example, connects to systems in countries I usually block via Geo-IP, so no need to trust them for something critical like NTP. I could use de.pool.ntp.org instead, but can I trust them?
Therefore I use only NTP systems with a known reputation or running a hardware based Time Source on-prem.
I remembered an old thread of mine, complaining about DNS Requests on Gen7, it seems SNWL is using a recommended system after all, don't know if this is done globally.
--Michael@BWC
@BWC No worries, I had a few days off due to COVID... Thanks for the link to the RIPE article.