[ntp:questions] Three NTP servers, one strange IP-address in 'refid'

E-Mail Sent to this address will be added to the BlackLists Null at BlackList.Anitech-Systems.invalid
Tue Apr 1 21:17:42 UTC 2014


Sander Smeenk wrote:
...
> if i check 'ntpq -c lpeers' on one of the three stratum-2
>  servers i see an IP-address listed as 'refid' for the 'peer'-entries
>  in my configuration. This IP-address is not used in any of my
>  configurations
...

No, its in ntp{1,2,3}.bit.nl's .conf, or via DHCP
 or ntp{1,2,3}.bit.nl ntp servers got it via a pool command.


 Why are you using ntp{1,2,3}.bit.nl / dns{1,2,3}.dns.dmz.bit.nl servers?
 Why do you care what ntp{1,2,3}.bit.nl / dns{1,2,3}.dns.dmz.bit.nl
  respond with for their refclock?

  or the ripe ones for that matter
  <http://www.ripe.net/data-tools/projects/faqs/faq-ris/i-need-a-ntp-time-server.-where-can-i-find-one>
  "Install a NTP server on your local network
    or look at www.ntp.org for a public NTP time server in the geographical proximity."
  "Please do NOT use RRCs as NTP servers, they were not intended for this purpose."


...
> no traffic is flowing to- or from that IP either.
...
> I ran tcpdumps on the three nodes, not a single packet
>  was logged while you would expect to see a few if indeed
>  it is uses as a sys.peer on any of the systems.

You won't see packets between ntp{1,2,3}.bit.nl and it's upstream server(s).
 Unless you can monitor the switch mirror port inside bit.nl,
   or packet cap on the ntp{1,2,3}.bit.nl machine,

   e.g. you are a bit.nl NOC SysAdmin?
         If you were, I suspect you would already know why
           their ntp server report 172.2.53.81 as their reference.

          "NTP servers: ntp1.bit.nl and ntp2.bit.nl
            This stratum 2 servers are synchronized with our stratum-1 server
             receives the right time via GPS."

              I guess it could also be a IPv6 ref mangling issue?


           {Maybe they fudged 172.2.53.81 as their reference.}
             FYI I see ntp{1,2,3}.bit.nl have referenced other
              ATT IPs in the past e.g. 32.246.249.54.
               as well as other IPs e.g. 193.0.0.228 (singtel nl)


> Also, as stated, the IP resolves to some DSL connection in
>  the US and doesn't appear to provide any NTP services.

Maybe not for you?
 172.2.53.81 -> adsl-172-2-53-81.dsl.aus2tx.sbcglobal.net > 172.2.53.81
  Maybe a router recently port 123 blocked by the ISP
   due to NTP DDOSability at the time?


> | -- dns1 --
> |      remote           refid      st t when poll reach   delay   offset  jitter
> | ==============================================================================
> | *tt52.ripe.net   .PPS.            1 u  197 1024  377    0.493   -0.528   0.411
> | +tt12.ripe.net   .GPS.            1 u  950 1024  377   13.158    0.287   0.451
> | -ntp3.tdc.fi     .PPS.            1 u 1061 1024  377   41.182    0.919   0.424
> |  dns2.dns.dmz.bi 172.2.53.81      2 u  421 1024  277    0.882   -0.418   0.362
> |  dns3.dns.dmz.bi 172.2.53.81      2 u  547 1024  376    1.227   -0.577   0.386
> | +tt52.ripe.net   .PPS.            1 u  973 1024  377    0.549   -0.547   0.470
> ...

> Publicly reachable as ntp{1,2,3}.bit.nl.
>
>
> Please note! The last three lines in the output of each server
> correspond to the 'peer ...' lines in the configuration:
> For example dns1 has:
> peer 172.17.130.32
> peer 172.17.130.33
> peer ntp4.bit.nl (== tt52.ripe.net)
>
>
> The IP shows up again in 'rv' output, f.e. on dns1/ntp1:
> | ntpq> rv
> | associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,
> | version="ntpd 4.2.6p3 at 1.2290-o Tue Jun  5 20:12:08 UTC 2012 (1)",
> | processor="x86_64", system="Linux/3.2.0-57-generic", leap=00, stratum=2,
> | precision=-23, rootdelay=0.662, rootdisp=31.985, refid=172.2.53.81,
> | reftime=d6e5793c.d1bbd451  Tue, Apr  1 2014 19:43:24.819,
> | clock=d6e57d27.39cb719b  Tue, Apr  1 2014 20:00:07.225, peer=33335,
> | tc=10, mintc=3, offset=-0.412, frequency=61.081, sys_jitter=0.222,
> | clk_jitter=0.207, clk_wander=0.041
>
> Since dns1/ntp1 lpeers output shows its sys.peer(*) is tt52.ripe.net
> (ntp4.bit.nl, as configured) that would be the suspect for reporting
> the 172.2.53.81 IP.

tt52.ripe.net is your machines sys peer,
 not ntp{1,2,3}.bit.nl sys peer.


-- 
E-Mail Sent to this address <BlackList at Anitech-Systems.com>
  will be added to the BlackLists.



More information about the questions mailing list