Extra NTP server address
I run my own NTP server, which can be reached with both IPv4 and IPv6. However, when I check with Wireshark, I see NTP requests going not only to my server, but also to an IPv4 address on the Internet. This happens with both my desktop system and ThinkPad, but they have different external addresses, in addition to my server. I use the host name for the server address in NTP Configuration. Any idea where that other address comes from?
On 12/17/23 15:03, James Knott wrote:
I run my own NTP server, which can be reached with both IPv4 and IPv6. However, when I check with Wireshark, I see NTP requests going not only to my server, but also to an IPv4 address on the Internet. This happens with both my desktop system and ThinkPad, but they have different external addresses, in addition to my server. I use the host name for the server address in NTP Configuration.
Any idea where that other address comes from?
Guessing, that it is normal NTP traffic going between servers to attempt to determine latency and ensure the servers remain in sync. You must be a? Stratum 3 host? Poke around a bit and see what traffic is used to keep tabs on servers offering NTP. It has been a decade, but I do recall there being a fairly sophisticated way that servers keep metrics on each other. -- David C. Rankin, J.D.,P.E.
On 12/17/23 19:34, David C. Rankin wrote:
Any idea where that other address comes from?
Guessing, that it is normal NTP traffic going between servers to attempt to determine latency and ensure the servers remain in sync. You must be a? Stratum 3 host? Poke around a bit and see what traffic is used to keep tabs on servers offering NTP. It has been a decade, but I do recall there being a fairly sophisticated way that servers keep metrics on each other.
I'm running Wireshark on my computers. I can see the traffic to both IPv4 and IPv6 addresses of my server. I am also seeing it between my computer and some external server, so I don't think it's traffic between servers. My servers are stratum 2, so my computer is 3, but it's not being used as a server.
On 2023-12-18 03:02, James Knott wrote:
On 12/17/23 19:34, David C. Rankin wrote:
Any idea where that other address comes from?
Guessing, that it is normal NTP traffic going between servers to attempt to determine latency and ensure the servers remain in sync. You must be a? Stratum 3 host? Poke around a bit and see what traffic is used to keep tabs on servers offering NTP. It has been a decade, but I do recall there being a fairly sophisticated way that servers keep metrics on each other.
I'm running Wireshark on my computers. I can see the traffic to both IPv4 and IPv6 addresses of my server. I am also seeing it between my computer and some external server, so I don't think it's traffic between servers.
When David says "between servers" he means "between your server and outside servers". This is normal, it is how it works.
My servers are stratum 2, so my computer is 3, but it's not being used as a server.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/17/23 21:36, Carlos E. R. wrote:
I'm running Wireshark on my computers. I can see the traffic to both IPv4 and IPv6 addresses of my server. I am also seeing it between my computer and some external server, so I don't think it's traffic between servers.
When David says "between servers" he means "between your server and outside servers". This is normal, it is how it works.
My server is not on openSUSE. It's on my pfSense firewall/router. So, my desktop and ThinkPad computers are just clients. All the NTP server traffic is between my desktop or ThinkPad and my server, along with some external server. My server is configured in the NTP settings, the outside one(s) isn't. Does the openSUSE NTP client even provide a server anymore? It did back in the SUSE days and I ran my NTP server on it, when I had a Linux firewall.
On 2023-12-17 21:14, James Knott wrote:
On 12/17/23 21:36, Carlos E. R. wrote:
I'm running Wireshark on my computers. I can see the traffic to both IPv4 and IPv6 addresses of my server. I am also seeing it between my computer and some external server, so I don't think it's traffic between servers.
When David says "between servers" he means "between your server and outside servers". This is normal, it is how it works.
My server is not on openSUSE. It's on my pfSense firewall/router. So, my desktop and ThinkPad computers are just clients. All the NTP server traffic is between my desktop or ThinkPad and my server, along with some external server. My server is configured in the NTP settings, the outside one(s) isn't.
Does the openSUSE NTP client even provide a server anymore? It did back in the SUSE days and I ran my NTP server on it, when I had a Linux firewall.
Both ntpd and chronyd can be configured to run as servers. IIRC, the only essential difference between the two is that ntpd can be configured to run as a stratum 0 server (if you have a primary source such as an atomic clock), while chrony cannot.
On Monday, 18 December 2023 07:33:54 ACDT James Knott wrote:
I run my own NTP server, which can be reached with both IPv4 and IPv6. However, when I check with Wireshark, I see NTP requests going not only to my server, but also to an IPv4 address on the Internet. This happens with both my desktop system and ThinkPad, but they have different external addresses, in addition to my server. I use the host name for the server address in NTP Configuration.
Any idea where that other address comes from?
Are you running chrony or ntpd? Check /etc/ntp.conf or /etc/chrony/chrony.conf. Also check in /etc/chrony/chrony.conf.d because files in there are automatically included in chronyd's list of sources by default. If you're running systemd-timesyncd, then you'll have to check its default config files, and I've really no idea where they live. I disable/uninstall that and install chrony on all the machines I manage at work or at home. Hope this helps. -- ============================================================================== ============================ Rodney Baker rodney.baker@outlook.com.au ============================================================================== ============================
On 12/18/23 03:40, Rodney Baker wrote:
Are you running chrony or ntpd?
No.
Check /etc/ntp.conf or /etc/chrony/chrony.conf. Also check in /etc/chrony/chrony.conf.d because files in there are automatically included in chronyd's list of sources by default.
None of those exist.
If you're running systemd-timesyncd, then you'll have to check its default config files, and I've really no idea where they live. I disable/uninstall that and install chrony on all the machines I manage at work or at home.
systemd-timesyncd is not running. As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
On 12/18/23 15:22, James Knott wrote:
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
Not sure if it was clear earlier, but it doesn't matter where NTP is run but there is always some communication between NTP and external IPs to determine how far you are away from your clock source and the offsets in transmission time needed to ensure your clocks remain in sync. If running in the router, that communication will still occur. There are configuration settings available to control some of the behavior, but even if acting as a pure client to set the local clock, NTP will still have to talk to, ping (whatever it does?), to work out how much to adjust the time you get to make sure it is "within a nat's ass" of the true provider time (technical term). With wireshark if you dissect the packets, it's likely that type communication you will find, along with the validation traffic that you are talking to a NTP server. It's a good question, and like I said, I haven't revisited NTP in more than a decade, so this is going from where things were circa 2010. -- David C. Rankin, J.D.,P.E.
On 12/19/23 15:07, David C. Rankin wrote:
It's a good question, and like I said, I haven't revisited NTP in more than a decade, so this is going from where things were circa 2010.
I have been running NTP for many years and never seen that. My previous question, several years ago, was about why I was seeing both IPv4 and IPv6 traffic with my server. At that time, that was all I was seeing. There was nothing to any other NTP server. As for distance to the server, there is some math that goes on to determine the transit time. Here's the algorithm: https://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_synchronization_al... This isn't causing problems (I hope) but it just seems strange that a server I haven't configured is being used. Yeah, I'm aware having multiple sources improves accuracy, but I'm already using 6, 3 stratum 1, on my firewall.
On 2023-12-18 22:22, James Knott wrote:
On 12/18/23 03:40, Rodney Baker wrote:
systemd-timesyncd is not running.
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing. The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/19/2023 16:02:42, Carlos E. R. wrote:
On 2023-12-18 22:22, James Knott wrote:
On 12/18/23 03:40, Rodney Baker wrote:
systemd-timesyncd is not running.
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing.
The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy.
Perhaps terminology is at issue here. AFAIK the NTP daemon does not act as a "server" that is, advertising itself as an NTP server, to act as a time reference. At least by default. It only acts as a client, for the device it is running on, providing an accurate time that it obtains from whatever source one enters into it's list of NTP servers. While there can be several servers entered, as long as the first one entered responds "in time" (see what I did there???) the client accepts that an goes back to sleep. To the best of my recollection.
On 2023-12-19 22:16, joe a wrote:
On 12/19/2023 16:02:42, Carlos E. R. wrote:
On 2023-12-18 22:22, James Knott wrote:
On 12/18/23 03:40, Rodney Baker wrote:
systemd-timesyncd is not running.
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing.
The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy.
Perhaps terminology is at issue here. AFAIK the NTP daemon does not act as a "server" that is, advertising itself as an NTP server, to act as a time reference. At least by default.
It only acts as a client, for the device it is running on, providing an accurate time that it obtains from whatever source one enters into it's list of NTP servers.
While there can be several servers entered, as long as the first one entered responds "in time" (see what I did there???) the client accepts that an goes back to sleep.
To the best of my recollection.
You only need to tell another machine of the address of the first one, and the first one will instantly act as server. What I don't remember is if a machine on the LAN can broadcast a query for ntp servers. Of course, the machine has to know that its time is accurate, and for this it needs to compare its own time with other machines. I think the minimum is three. Where from can the daemon obtain external addresses of servers, I do not know. The dhcp server of the lan can publish them, I think. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/19/2023 16:29:58, Carlos E. R. wrote:
On 2023-12-19 22:16, joe a wrote:
On 12/19/2023 16:02:42, Carlos E. R. wrote:
On 2023-12-18 22:22, James Knott wrote:
On 12/18/23 03:40, Rodney Baker wrote:
systemd-timesyncd is not running.
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing.
The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy.
Perhaps terminology is at issue here. AFAIK the NTP daemon does not act as a "server" that is, advertising itself as an NTP server, to act as a time reference. At least by default.
It only acts as a client, for the device it is running on, providing an accurate time that it obtains from whatever source one enters into it's list of NTP servers.
While there can be several servers entered, as long as the first one entered responds "in time" (see what I did there???) the client accepts that an goes back to sleep.
To the best of my recollection.
You only need to tell another machine of the address of the first one, and the first one will instantly act as server.
What I don't remember is if a machine on the LAN can broadcast a query for ntp servers.
Of course, the machine has to know that its time is accurate, and for this it needs to compare its own time with other machines. I think the minimum is three.
Where from can the daemon obtain external addresses of servers, I do not know. The dhcp server of the lan can publish them, I think.
FWIW - https://doc.opensuse.org/documentation/leap/reference/html/book-reference/ch...
On 12/19/23 16:29, Carlos E. R. wrote:
You only need to tell another machine of the address of the first one, and the first one will instantly act as server.
No. I just tried. I set my ThinkPad to use my desktop as the server and tried the test. It failed. I then tried my firewall and it worked fine. The NTP client in 15.5 is not a server and hasn't been since before openSUSE, IIRC.
What I don't remember is if a machine on the LAN can broadcast a query for ntp servers.
It can be configured as a DHCP option. However, when it did provide a server, it could be configured to multicast NTP, without being requested.
Of course, the machine has to know that its time is accurate, and for this it needs to compare its own time with other machines. I think the minimum is three.
Yep. Either use 1 or at least 3. 2 can cause it to ignore both, if they disagree. I use 6 on pfSense. 3 are stratum 1 from the local Internet exchange and the other 3 are stratum 2 from government servers.
Where from can the daemon obtain external addresses of servers, I do not know. The dhcp server of the lan can publish them, I think.
Yep. I don't know of any other method, beyond manual configuration.
On 2023-12-19 22:45, James Knott wrote:
On 12/19/23 16:29, Carlos E. R. wrote:
You only need to tell another machine of the address of the first one, and the first one will instantly act as server.
No. I just tried. I set my ThinkPad to use my desktop as the server and tried the test. It failed. I then tried my firewall and it worked fine. The NTP client in 15.5 is not a server and hasn't been since before openSUSE, IIRC.
That's probably because the firewall in your desktop blocks it. ... -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 12/19/23 16:50, Carlos E. R. wrote:
No. I just tried. I set my ThinkPad to use my desktop as the server and tried the test. It failed. I then tried my firewall and it worked fine. The NTP client in 15.5 is not a server and hasn't been since before openSUSE, IIRC.
That's probably because the firewall in your desktop blocks it.
No. I just allowed NTP to my desktop and still no server.
On 2023-12-19 16:19, James Knott wrote:
On 12/19/23 16:50, Carlos E. R. wrote:
No. I just tried. I set my ThinkPad to use my desktop as the server and tried the test. It failed. I then tried my firewall and it worked fine. The NTP client in 15.5 is not a server and hasn't been since before openSUSE, IIRC.
That's probably because the firewall in your desktop blocks it.
No. I just allowed NTP to my desktop and still no server.
Both chrony and ntpd can be configured to run as time servers, but by default are not configured to do so. Since chrony is now the default NTP client on openSUSE, I will discuss only that. For additional information, consult the manpages chrony.conf(5) or online sources such as https://opensource.com/article/18/12/manage-ntp-chrony You will find that chrony can easily be turned into a NTP server: just add an "allow" statement to the config file /etc/chrony.conf
On 12/19/23 16:02, Carlos E. R. wrote:
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing.
The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy.
I know that was the case back in the days of SUSE, but is it still true? I used to use that server and remember seeing some configuration for the server, such as multicast to the local LAN etc., which I don't think are in the current one. Regardless, I have used Wireshark to examine my NTP traffic before and don't recall any such external address.
On 12/19/2023 16:20:33, James Knott wrote:
On 12/19/23 16:02, Carlos E. R. wrote:
As mentioned in another message, this is just an NTP client, not a server. My server is on my pfSense firewall/router.
There is no such thing.
The ntp daemon is always client and server. IIRC, it needs 3 other servers to compare to in order to get a good clock reference. Otherwise it will not be happy.
I know that was the case back in the days of SUSE, but is it still true? I used to use that server and remember seeing some configuration for the server, such as multicast to the local LAN etc., which I don't think are in the current one. Regardless, I have used Wireshark to examine my NTP traffic before and don't recall any such external address.
FWIW : https://doc.opensuse.org/documentation/leap/reference/html/book-reference/ch...
On 12/19/23 16:43, joe a wrote:
FWIW :
https://doc.opensuse.org/documentation/leap/reference/html/book-reference/ch...
If I wanted to do that, I'd do it in pfSense. A while ago, I tried using GPS, but I couldn't get a usable signal in my condo.
On 12/19/2023 16:48:05, James Knott wrote:
On 12/19/23 16:43, joe a wrote:
FWIW :
https://doc.opensuse.org/documentation/leap/reference/html/book-reference/ch...
If I wanted to do that, I'd do it in pfSense. A while ago, I tried using GPS, but I couldn't get a usable signal in my condo.
I think one of my servers is setup to "go fetch" from NTP pools and have the others sniff it's offering. That was of necessity as the Sophos XG-85 firewall appliance I got some years back (as a reselling "partner") does NOT do NPT as a provider. That seemed a bogus move on their part. Never fixed it though myriad code updates. Kinda took the edge off pushing that line, for me anyway. Now that it is off EOL support, pfSense is where I plan to move.
participants (6)
-
Carlos E. R. -
Darryl Gregorash -
David C. Rankin -
James Knott -
joe a -
Rodney Baker