[ntp:questions] ntpd access restrictions: Server allowed works only with ipaddress

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Fri Mar 28 17:47:50 UTC 2014


On 2014-03-28 02:50, Witt, Stefan wrote:
> Hello, looking for an answer of the following misbehaviour:
>
> Server entries are only valid and accepted if I use ip-address and not if I user fqdn of the timeserver1/2!
> Resolving of Timeserver-fqdn is successful!
>
> Do anybody have an explanation of this unexpected behavior?
>
> the ntp.conf looks quite like that:
>
> ##########
> restrict 0.0.0.0 mask 0.0.0.0 nomodify nopeer

equivalent to:

restrict default nomodify nopeer

should add noquery, notrap and limited, kod to avoid RDDoS attacks
and rate limit everything:

restrict default kod limited nomodify nopeer noquery notrap

and allow local access:

restrict 127.0.0.1
restrict -6 ::1

also add any local subnet or systems you may want to monitor from

> ##########
>
> # driftfile ist sehr empfehlenswert wg. Reboot-Situationen
> driftfile /etc/inet/ntp.drift
>
> ################################

remove below as it is really designed for external local clock discipline:

> server 127.127.1.1
> fudge  127.127.1.1 stratum 5

add orphan mode if you want to be able to serve time, and a couple of internet
servers or a pool statement with a pool server:

pool CC.pool.ntp.org iburst minpoll 6 maxpoll 6

where CC is your country code

and add "iburst minpoll 6 maxpoll 6" to your server lines

> ### internal timeserver:
> ##server fqdn-timeserver1 prefer
> ##server fqdn-timeserver2
>
> # internal  timeserver:
> server <ipv4-adress-timeserver1> prefer
> server <ipv4-adress-timeserver2>
> #########################################################################

Names are resolved by DNS - check with nslookup on the host names alone
and with the fqdns and maybe add local aliases to /etc/hosts e.g.:

timeserver1-ipaddress timeserver1-hostname timeserver1-fqdn
timeserver2-ipaddress timeserver2-hostname timeserver2-fqdn

and to be friendly add to ntp.conf:

restrict timeserver1-hostname nomodify
restrict timeserver2-hostname nomodify

-- 
Take care. Thanks, Brian Inglis


More information about the questions mailing list