[ntp:security] pool.ntp.org directs to www.foofus.net

arden henderson tx407781x at verizon.net
Wed Jun 11 20:10:22 UTC 2008


Thanks, Danny. Much appreciated info.

Regards,

--arden henderson


At 00:13 -0400 6/11/08, Danny Mayer wrote:
>arden henderson wrote:
>>Hi Danny,
>>
>>Thanks for your reply.
>>
>>  >I'm not sure what the issue is that you are reporting nor why 
>>it's considered a security issue.
>>  >pool.ntp.org is designed to point to a varying list of addresses 
>>which host available NTP servers and is only used by other NTP 
>>servers. It's not a web site if that's what you are telling us. 
>>Where does OpenDNS come into this?
>>  >Can you tell us what the real issue is?
>>
>>It may not be a security issue but that was my best guess contact 
>>point. I apologize if I contacted the wrong email address.
>>
>>The issue was -- yesterday -- that pool.ntp.org would redirect to 
>>foofus.net or www.pool.ntp.org, the NTP Pool Project site, 
>>depending on nameservers used. However, today I can't reproduce it 
>>today. (hitting pool.ntp.org today  always  jumps to the NTP Pool 
>>Project site, the url in the browser instantly switches to 
>>www.pool.ntp.org)
>>
>
>I doubt that it will do that consistently. pool.ntp.org is 
>specifically allocated to NTP servers and not HTTP servers. Almost 
>none of the admins contributing to the pool are running HTTP servers 
>and even if they are they will not be showing the pool web site. 
>People make the mistake of assuming that the domain and the www 
>address will point to the same web pages. In reality someone has to 
>add records to the DNS zone in order for that to happen. You may 
>also happen to have reach a DNS which is returning a relatively long 
>lasting record with a TTL which points to the actual web server for 
>the pool pages. You should *not* rely on this behavior. Use the 
>www.pool.ntp.org address. A quick check of the pool domain shows 
>that the addresses returned have a 1200 second TTL timeout. How did 
>you wait before you retried?
>
>>
>>Here's the background:
>>I use pool.ntp.org with OpenBSD on another machine so, yesterday, 
>>hit pool.ntp.org to learn more about it, thinking it would hit the 
>>NTP Pool Project site, as www.pool.ntp.org.
>>
>
>What you mean here is that you used a Web browser with a URL of 
>http://pool.ntp.org/ to get to the project page. That actually gets 
>you to a random HTTP server run by one of the members of the pool. 
>Whether or not there is an HTTP server at the provided address is a 
>matter of luck.
>
>>To my surprise, pool.ntp.org (without the www), would redirect 
>>immediately to foofus.net, using OpenDNS nameservers. This was 
>>surprising to me since foofus.net seemed to have nothing to do with 
>>ntp.org.  (I had never seen foofus.net show up before -- never 
>>heard of it before pool.ntp.org jumped to it. Maybe foofus.net is 
>>one of the pooled NTP servers?)
>>
>>Using www.pool.ntp.org directly (with the www) would hit the site 
>>as expected.
>>
>
>This is expected and normal behavior of DNS. The problem is not a 
>DNS problem it's a user expectation problem.
>
>>To test, I switched to Verizon nameservers and pool.ntp.org would 
>>then immediately change to www.pool.ntp.org in the browser and the 
>>expected site would show up. Thinking this odd and having something 
>>to do with OpenDNS nameservers (I didn't test with any other 
>>nameservers other than Verizon and only OpenDNS nameservers seem to 
>>do this), I emailed OpenDNS and they sent the email I  forwarded 
>>below about root servers.
>>
>>The OpenDNS email indicated they thought something odd was 
>>happening at the moment with root servers and sounded like I should 
>>let ntp.org know.
>
>That's because they didn't do a proper analysis of the question. 
>dnsstuff is not reliable in the first place and just a few queries 
>with dig should have provided the correct answer that there is no 
>problem. This is not even a DNS issue. If you read the HTTP web page 
>at http://www.pool.ntp.org/ you will find the answer. The addresses 
>are actually handed out randomly by each of the nameservers in order 
>to spread the load among many different NTP servers. Notice that 
>nothing is said about HTTP servers here.
>
>>So, this was confirmation that something unexpected was happening 
>>from their perspective, at least.
>
>That's because they failed to do the correct analysis. Getting 
>different addresses from different nameservers is not necessarily 
>wrong it just may mean that they have not caught up with the changes 
>in the master. Propogation of DNS records takes time. In this 
>particular case the differences are by design, see above.
>
>>Then I picked the best ntp.org email I could locate to send the 
>>info in case it might be important. I chose the security email 
>>address since it seemed appropriate at the time.
>>
>>It turns out I can't get this to reproduce at all today using 
>>OpenDNS nameservers (with a few tries just now), so whatever was 
>>happening yesterday isn't happening today. Hitting pool.ntp.org 
>>immediately jumps to the proper site now as www.pool.ntp.org.
>>
>
>It's the same. You are just hitting a cached address. Don't assume 
>this behavior. Once the TTL on the record expires it will fetch a 
>new address and you will get a different result. I assume of course 
>that OpenDNS does the right thing and refetches records for which 
>their TTL has expired. Don't use pool.ntp.org when looking for a web 
>page, use www.pool.ntp.org.
>
>Danny
>
>>Thanks for your time on this.
>>
>>--arden henderson
>>
>>
>>At 12:54 -0400 6/10/08, Danny Mayer wrote:
>>I'm not sure what the issue is that you are reporting nor why it's 
>>considered a security issue.
>>
>>pool.ntp.org is designed to point to a varying list of addresses 
>>which host available NTP servers and is only used by other NTP 
>>servers. It's not a web site if that's what you are telling us. 
>>Where does OpenDNS come into this?
>>
>>Can you tell us what the real issue is?
>>
>>Danny
>>
>>arden henderson wrote:
>>Hi,
>>
>>Depending on the nameservers,  pool.ntp.org brings up www.foofus.net
>>
>>www.pool.ntp.org seems to work reliably
>>
>>OpenDNS checked it out  (ref email below) and provided this reply:
>>>It definitely looks like something odd is happening with the root 
>>>servers. See 
>>>http://private.dnsstuff.com/tools/traversal.ch?domain=pool.ntp.org&type=A&token=11a0aba66da33b3d25d2b49601999019
>>
>>Hope this helps.
>>
>>--arden henderson
>>
>>---------------------
>>
>>reference:
>>Date: Tue, 10 Jun 2008 00:10:53 +0000
>>From: contact at opendns.com
>>Subject: [ #ITW-91343-839]: [HOME] Question Defies Categorization (Arden
>>   Henderson)
>>To: tx407781x at verizon.net
>>
>>Hi.
>>
>>It definitely looks like something odd is happening with the root 
>>servers. See 
>>http://private.dnsstuff.com/tools/traversal.ch?domain=pool.ntp.org&type=A&token=11a0aba66da33b3d25d2b49601999019
>>
>>My only suggestion would be to try contacting the host provider or 
>>site admin.
>>
>>
>>Please let us know if you have any further questions or concerns. 
>>We are happy to help!
>>
>>Daniel Gifford
>>Community Manager
>>OpenDNS.com
>>
>>---------------------



More information about the security mailing list