NTP through DNS?

Andrew Latham lathama at gmail.com
Wed Sep 19 15:12:37 UTC 2018 

Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.

Benefits could be:
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat

DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.

On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares <raubvogel at gmail.com>
wrote:

> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham <lathama at gmail.com> wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>       Thanks. I was trying to query for it using dig and then realized
> I did not know if that is doable.
>
> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman <muks at mukund.org>
> wrote:
> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> >> Stupid question: can I publish/query the NTP server through DNS the
> >> same way I can ask who is doing LDAP?
> >
> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> > one off my mind).
> >
>       Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.
>
> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> > and 10.98.0.5 as the NTP server:
> >
> > subnet 10.98.0.0 netmask 255.255.0.0 {
> >        ...
> >        option ntp-servers 10.98.0.5;
> > }
> >
> > and perhaps also use "tcode" and "time-offset" options to set the
> > timezone.
> >
> > But a real bummer is that some DHCP clients (e.g., Android phones) do
> > not make use of this option, and don't even provide a config setting to
> > do so. IIRC they synchronize time via the cell phone signal.
> >
>       Add Windows devices to the list.
>
> >                 Mukund
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180919/0746352e/attachment.html>

More information about the bind-users mailing list