[ntp:questions] on ubuntu OS looking at open files

Dave Hart davehart at gmail.com
Mon Nov 21 23:24:27 UTC 2011

On Mon, Nov 21, 2011 at 19:03, horus <horus at sonic.net> wrote:
> ntpd      12527    ntp   16u     IPv4          701107082       0t0
> UDP *:ntp
> ntpd      12527    ntp   17u     IPv6          701107083       0t0
> UDP *:ntp
> ntpd      12527    ntp   18u     IPv4          701107089       0t0
> UDP localhost.localdomain:ntp
> ntpd      12527    ntp   19u     IPv4          701107090       0t0
> UDP blah.blah:ntp
> ntpd      12527    ntp   20u     IPv6          701107091       0t0
> UDP [fe80::7a2b:cbff:fe43:3ed2]:ntp
> ntpd      12527    ntp   21u     IPv6          701107092       0t0
> UDP 2607.f0d0.2001.000a.0000.0000.0000.0010-static.officeirc.com:ntp
> what the heck is this entry????
> ntpd      12527    ntp   22u     IPv6          701107093       0t0
> UDP localhost6.localdomain6:ntp

You've shown netstat output without identifying it as such or saying
which OS produced it.  Your netstat has shoddy code that believes PTR
records which it shouldn't, because they don't forward validate.
Anyone can claim any hostname for any address in a reverse DNS zone
they control, so it is incumbent on software which replaces a numeric
IP address in its display with the putative reversed hostname ensure
that the original IP address appears among the A/AAAA records returned
for a query of the putative hostname.

If we ask for the DNS reverse of your box's public IPv6 address:

; <<>> DiG 9.8.0-P4 <<>> -x 2607:f0d0:2001:000a:0000:0000:0000:0010
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32209
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


3600 IN PTR 2607.f0d0.2001.000a.0000.0000.0000.0010-stat

;; Query time: 192 msec

we are told the hostname is that long name ending in officeirc.com.
But when we attempt to verify that by querying IPv6 addresses for that

; <<>> DiG 9.8.0-P4 <<>> aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57789
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;2607.f0d0.2001.000a.0000.0000.0000.0010-static.officeirc.com. IN AAAA

officeirc.com.          300     IN      SOA     ns1.officeirc.com.
hostmaster. 61 600 600 2678400 300

;; Query time: 110 msec

we are told that long name is non-existent (NXDOMAIN).

You appear to have hand-edited the output to replace an IPv4 address
or its reversed hostname with "blah.blah".  That entry and the one you
questioned are IPv4/IPv6 evil twins -- both tell you ntpd has a socket
listening on (bound to) port 123 of the underlying local IP address.
Using netstat's -n option may reduce confusion (and will suppress
credulous display of unverified reversed hostnames).

If you configure ntpd for remote management using symmetric key
authentication, you can use ntpdc's ifstats to retrieve per-address
statistics.  In 4.2.7 ntpq also has ifstats.

Dave Hart

More information about the questions mailing list