[ntp:security] pool.ntp.org directs to www.foofus.net

Danny Mayer mayer at ntp.org
Wed Jun 11 04:13:40 UTC 2008


arden henderson wrote:
> Hi Danny,
> 
> Thanks for your reply.
> 
>  >I'm not sure what the issue is that you are reporting nor why it's 
> considered a security issue.
>  >pool.ntp.org is designed to point to a varying list of addresses which 
> host available NTP servers and is only used by other NTP servers. It's 
> not a web site if that's what you are telling us. Where does OpenDNS 
> come into this?
>  >Can you tell us what the real issue is?
> 
> It may not be a security issue but that was my best guess contact point. 
> I apologize if I contacted the wrong email address.
> 
> The issue was -- yesterday -- that pool.ntp.org would redirect to 
> foofus.net or www.pool.ntp.org, the NTP Pool Project site, depending on 
> nameservers used. However, today I can't reproduce it today. (hitting 
> pool.ntp.org today  always  jumps to the NTP Pool Project site, the url 
> in the browser instantly switches to www.pool.ntp.org)
> 

I doubt that it will do that consistently. pool.ntp.org is specifically 
allocated to NTP servers and not HTTP servers. Almost none of the admins 
contributing to the pool are running HTTP servers and even if they are 
they will not be showing the pool web site. People make the mistake of 
assuming that the domain and the www address will point to the same web 
pages. In reality someone has to add records to the DNS zone in order 
for that to happen. You may also happen to have reach a DNS which is 
returning a relatively long lasting record with a TTL which points to 
the actual web server for the pool pages. You should *not* rely on this 
behavior. Use the www.pool.ntp.org address. A quick check of the pool 
domain shows that the addresses returned have a 1200 second TTL timeout. 
How did you wait before you retried?

> 
> Here's the background:
> I use pool.ntp.org with OpenBSD on another machine so, yesterday, hit 
> pool.ntp.org to learn more about it, thinking it would hit the NTP Pool 
> Project site, as www.pool.ntp.org.
> 

What you mean here is that you used a Web browser with a URL of 
http://pool.ntp.org/ to get to the project page. That actually gets you 
to a random HTTP server run by one of the members of the pool. Whether 
or not there is an HTTP server at the provided address is a matter of luck.

> To my surprise, pool.ntp.org (without the www), would redirect 
> immediately to foofus.net, using OpenDNS nameservers. This was 
> surprising to me since foofus.net seemed to have nothing to do with 
> ntp.org.  (I had never seen foofus.net show up before -- never heard of 
> it before pool.ntp.org jumped to it. Maybe foofus.net is one of the 
> pooled NTP servers?)
> 
> Using www.pool.ntp.org directly (with the www) would hit the site as 
> expected.
> 

This is expected and normal behavior of DNS. The problem is not a DNS 
problem it's a user expectation problem.

> To test, I switched to Verizon nameservers and pool.ntp.org would then 
> immediately change to www.pool.ntp.org in the browser and the expected 
> site would show up. Thinking this odd and having something to do with 
> OpenDNS nameservers (I didn't test with any other nameservers other than 
> Verizon and only OpenDNS nameservers seem to do this), I emailed OpenDNS 
> and they sent the email I  forwarded below about root servers.
> 
> The OpenDNS email indicated they thought something odd was happening at 
> the moment with root servers and sounded like I should let ntp.org know. 

That's because they didn't do a proper analysis of the question. 
dnsstuff is not reliable in the first place and just a few queries with 
dig should have provided the correct answer that there is no problem. 
This is not even a DNS issue. If you read the HTTP web page at 
http://www.pool.ntp.org/ you will find the answer. The addresses are 
actually handed out randomly by each of the nameservers in order to 
spread the load among many different NTP servers. Notice that nothing is 
said about HTTP servers here.

> So, this was confirmation that something unexpected was happening from 
> their perspective, at least.

That's because they failed to do the correct analysis. Getting different 
addresses from different nameservers is not necessarily wrong it just 
may mean that they have not caught up with the changes in the master. 
Propogation of DNS records takes time. In this particular case the 
differences are by design, see above.

> Then I picked the best ntp.org email I 
> could locate to send the info in case it might be important. I chose the 
> security email address since it seemed appropriate at the time.
> 
> It turns out I can't get this to reproduce at all today using OpenDNS 
> nameservers (with a few tries just now), so whatever was happening 
> yesterday isn't happening today. Hitting pool.ntp.org immediately jumps 
> to the proper site now as www.pool.ntp.org.
> 

It's the same. You are just hitting a cached address. Don't assume this 
behavior. Once the TTL on the record expires it will fetch a new address 
and you will get a different result. I assume of course that OpenDNS 
does the right thing and refetches records for which their TTL has 
expired. Don't use pool.ntp.org when looking for a web page, use 
www.pool.ntp.org.

Danny

> Thanks for your time on this.
> 
> --arden henderson
> 
> 
> At 12:54 -0400 6/10/08, Danny Mayer wrote:
> I'm not sure what the issue is that you are reporting nor why it's 
> considered a security issue.
> 
> pool.ntp.org is designed to point to a varying list of addresses which 
> host available NTP servers and is only used by other NTP servers. It's 
> not a web site if that's what you are telling us. Where does OpenDNS 
> come into this?
> 
> Can you tell us what the real issue is?
> 
> Danny
> 
> arden henderson wrote:
> Hi,
> 
> Depending on the nameservers,  pool.ntp.org brings up www.foofus.net
> 
> www.pool.ntp.org seems to work reliably
> 
> OpenDNS checked it out  (ref email below) and provided this reply:
>> It definitely looks like something odd is happening with the root 
>> servers. See 
>> http://private.dnsstuff.com/tools/traversal.ch?domain=pool.ntp.org&type=A&token=11a0aba66da33b3d25d2b49601999019
> 
> Hope this helps.
> 
> --arden henderson
> 
> ---------------------
> 
> reference:
> Date: Tue, 10 Jun 2008 00:10:53 +0000
> From: contact at opendns.com
> Subject: [ #ITW-91343-839]: [HOME] Question Defies Categorization (Arden
>   Henderson)
> To: tx407781x at verizon.net
> 
> Hi.
> 
> It definitely looks like something odd is happening with the root 
> servers. See 
> http://private.dnsstuff.com/tools/traversal.ch?domain=pool.ntp.org&type=A&token=11a0aba66da33b3d25d2b49601999019
> 
> My only suggestion would be to try contacting the host provider or site 
> admin.
> 
> 
> Please let us know if you have any further questions or concerns. We are 
> happy to help!
> 
> Daniel Gifford
> Community Manager
> OpenDNS.com
> 
> ---------------------



More information about the security mailing list