Saucepan

User Tools

Site Tools

Trace: nsupdate
ntp:ntp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ntp:ntp [2023/04/12 21:41] – [Show NTP Status] bstaffordntp:ntp [2026/03/07 03:59] (current) bstafford
Line 1: Line 1:
 ====== NTP ====== ====== NTP ======
   * There is a dedicated page for [[ntp:ntp_pools|public NTP servers]].   * There is a dedicated page for [[ntp:ntp_pools|public NTP servers]].
-  * There is a dedicated page to [[infoblox_nios:ntp_on_infoblox|Infoblox NTP]].+  * There is a dedicated page to [[infoblox:ntp_on_infoblox|Infoblox NTP]]. 
 +  * A good overview of NTP is [[https://www.meinbergglobal.com/english/info/ntp.htm|here on the meinbergglobal page]].
  
 **DO NOT** use burst or iburst against public NTP servers unless they are announced they accept it (e.g. don't use it against *.ntp.org servers). More details [[ntp:ntp#burst_and_iburst|here]]. **DO NOT** use burst or iburst against public NTP servers unless they are announced they accept it (e.g. don't use it against *.ntp.org servers). More details [[ntp:ntp#burst_and_iburst|here]].
Line 7: Line 8:
 **DO NOT** configure your system to use leap-smearing NTP servers as well as non-leap-smearing NTP servers at the same time. e.g. do not combine Google NTP with Cloudflare NTP. See [[ntp_pools#leap_smearing|here]]. **DO NOT** configure your system to use leap-smearing NTP servers as well as non-leap-smearing NTP servers at the same time. e.g. do not combine Google NTP with Cloudflare NTP. See [[ntp_pools#leap_smearing|here]].
  
 +**DO NOT** configure your NTP servers in an NTP anycast scenario. This means avoid Google NTP as that is on anycast. There are some use cases (e.g. large network, time is important but not critical, endpoint device can only be configured with a single NTP IP address).
  
 Try to use sources with a low poll time. Try to use sources with a low poll time.
Line 12: Line 14:
  
 NTP overview from an NTP [[https://www.eecis.udel.edu/~mills/ntp.html|author]] and there is a best practice guide [[https://tools.ietf.org/id/draft-ietf-ntp-bcp-13.html|here]]. NTP overview from an NTP [[https://www.eecis.udel.edu/~mills/ntp.html|author]] and there is a best practice guide [[https://tools.ietf.org/id/draft-ietf-ntp-bcp-13.html|here]].
 +
 +One argument for using UTC on all devices everywhere is that, if the government of a country (e.g Mexico late 2022) decides to scrap daylight savings, and if the computer systems are not updated with this information, they can still implement daylight savings and cause massive issues.
 +
 +(from [[https://www.reddit.com/r/NTP/comments/14p0e8p/noobs_ntp_question/|Redditor throwaway234f32423df
 +]])
 +Bare minimum 4 (this is why the pool.ntp.org DNS names all return 4 IPs, or 8 if you count IPV4 + IPV6 on the IPV6-enabled names like 2.pool.ntp.org)
 +
 +  * If you list just one, there can be no question which will be considered to be "right" or "wrong". But if that one goes down, you are toast.
 +  * With two, it is impossible to tell which one is better, because you don't have any other references to compare them with. This is actually the worst possible configuration -- you'd be better off using just one upstream time server and letting the clocks run free if that upstream were to die or become unreachable.
 +  * With three servers, you have the minimum number of time sources needed to allow ntpd to dectect if one time source is a "falseticker". However ntpd will then be in the position of choosing from the two remaining sources.This configuration provides no redundancy.
 +  * With at least four upstream servers, one (or more) can be a "falseticker", or just unreachable, and ntpd will have a sufficient number of sources to choose from.
 +
 +More is better, within reason. NTPD will normally only use up to 10 servers; if you give it more than 10 it'll select the best 10 and only monitor the rest. You can tell it to use more but at that point the benefit would be minimal.
 +
 +
 ===== NTP Timezones ===== ===== NTP Timezones =====
   * [[https://www.iana.org/time-zones|IANA's page on timezones]]   * [[https://www.iana.org/time-zones|IANA's page on timezones]]
   * [[https://en.wikipedia.org/wiki/List_of_tz_database_time_zones|List of Timezones]]   * [[https://en.wikipedia.org/wiki/List_of_tz_database_time_zones|List of Timezones]]
   * [[https://en.wikipedia.org/wiki/List_of_time_zone_abbreviations|List of Timezone Abbreviations]]   * [[https://en.wikipedia.org/wiki/List_of_time_zone_abbreviations|List of Timezone Abbreviations]]
 +===== NTPQ Commands =====
 +[[https://www.cyberithub.com/ntpq-command-examples-in-linux-rhel-centos-7-8/|Commands here]].
  
 +===== Linux NTP Test =====
 +
 +<code>ntpdate -q 192.168.1.1</code>
 +
 +<code>watch -n 2 "ntpdate -q 192.168.1.1"</code>
 ===== AWS NTP ===== ===== AWS NTP =====
 You can query NTP in AWS at this IP You can query NTP in AWS at this IP
 <code>169.254.169.123</code> <code>169.254.169.123</code>
 The 169.254.169.123 clock smooths out leap seconds over a period of time (commonly called leap smearing) which makes it easy for your applications to deal with leap seconds. The 169.254.169.123 clock smooths out leap seconds over a period of time (commonly called leap smearing) which makes it easy for your applications to deal with leap seconds.
 +
 +[[https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/|AWS provides]] a highly accurate, time synchronization service (Amazon Time Sync Service - ATSS - 169.254.169.123) inside every EC2 instance. It uses a fleet of redundant satellite-connected and atomic clocks in each region to deliver a highly accurate reference clock.
 +
 ===== Windows NTP ===== ===== Windows NTP =====
 **REMEMBER** It is important to note that W32Time will only actively synchronize with one time source at a time, even though you are able to list more than one time source. ([[https://docs.microsoft.com/en-gb/archive/blogs/w32time/configuring-the-time-service-ntpserver-and-specialpollinterval|source]]) **REMEMBER** It is important to note that W32Time will only actively synchronize with one time source at a time, even though you are able to list more than one time source. ([[https://docs.microsoft.com/en-gb/archive/blogs/w32time/configuring-the-time-service-ntpserver-and-specialpollinterval|source]])
Line 28: Line 55:
 ==== Test Windows NTP ==== ==== Test Windows NTP ====
 You can test NTP manually using Windows using the following command (where 192.168.1.1 is the IP of the NTP server). You can test NTP manually using Windows using the following command (where 192.168.1.1 is the IP of the NTP server).
-<code>w32tm /stripchart /dataonly /computer:192.168.1.1</code>+<code>w32tm /stripchart /dataonly /period:/computer:192.168.1.1</code>
  
 ==== Resync Windows NTP ==== ==== Resync Windows NTP ====
Line 143: Line 170:
  
 ===== Burst and iBurst ===== ===== Burst and iBurst =====
 +[[https://www.eecis.udel.edu/~mills/ntp/html/assoc.html#poll|Documentation]]
 +
 Using the burst option against a public server is considered abuse. Do not use this option with public NTP servers. Use it only for applications within your own organization. Using the burst option against a public server is considered abuse. Do not use this option with public NTP servers. Use it only for applications within your own organization.
  
Line 158: Line 187:
 <code>$stringAsStream = [System.IO.MemoryStream]::new() $writer = [System.IO.StreamWriter]::new($stringAsStream) $writer.write("ThisIsMyKeyString") $writer.Flush() $stringAsStream.Position = 0 Get-FileHash -InputStream $stringAsStream - Algorithm xxx| Select-Object Hash</code> <code>$stringAsStream = [System.IO.MemoryStream]::new() $writer = [System.IO.StreamWriter]::new($stringAsStream) $writer.write("ThisIsMyKeyString") $writer.Flush() $stringAsStream.Position = 0 Get-FileHash -InputStream $stringAsStream - Algorithm xxx| Select-Object Hash</code>
  
 +===== NTP Configuration =====
 +[[https://www.ntp.org/documentation/4.2.8-series/accopt/|Official NTP Docs]] on configuration.
 +
 +[[https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2_configure_rate_limiting_access_to_an_ntp_service|Red Hat Docs on NTP Config]]
 +
 +[[https://docs.ntpsec.org/latest/ntpq.html#mrulist|Docs on mrulist]].
 +
 +Example code snipped from NTP configuration file
 +<code>< 
 +driftfile /var/lib/ntp/ntp.drift
 +logfile /var/log/ntpd.log
 +discard average 3 minimum 1 monitor 10.
 +restrict -4 default kod limited nomodify noquery nopeer
 +restrict 127.0.0.1
 +restrict ::1
 +server 127.127.1.1 burst iburst prefer.
 +fudge 127.127.1.1 stratum 1
 +~
 +</code>
 +  * **discard**
 +    * **average** - specifies the minimum average packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 3 (23 equates to 8 seconds). 
 +    * **minimum** - specifies the minimum packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 1 (21 equates to 2 seconds). 
 +    * **monitor** - specifies the discard probability for packets once the permitted rate limits have been exceeded. The default value is 3000 seconds. This option is intended for servers that receive 1000 or more requests per second.
 +  * **restrict** 
 +    * **-4** - Apply this rule to IPv4 only (there is usually a matching restrict -6 ... for IPv6).
 +    * **default** - This is the catch-all rule for all IPv4 addresses (0.0.0.0/0) that don’t match a more specific restrict line. 
 +    * **kod** - Flag: When a client exceeds the rate limits set by the discard command (and limited is present), send a Kiss-of-Death (KoD) packet back to tell it to slow down, instead of just silently dropping packets. 
 +    * **limited** - Flag: Enforce rate limiting using the thresholds from discard .... If a client sends requests too fast (violates those limits), time service is denied for that client (and, with kod, KoDs can be sent). 
 +    * **nomodify** - Flag: Block configuration‑-changing control packets (e.g., ntpq/ntpdc commands that try to modify state). Info-only queries would be allowed by this flag alone, but see noquery next.
 +    * **noquery**  - Flag: Block all ntpq/ntpdc queries (status, variables, etc.). Time service (normal client requests for time) is still allowed. 
 +    * **nopeer** - Flag: Prevent others from forming NTP peer associations with this server unless specially allowed/authenticated. This blocks unsolicited symmetric/broadcast/manycast/pool-based peering that would otherwise turn your server into a peer for them.
 +  * **restrict 127.0.0.1** - Don't restrict anything from this IP because we haven't added any flags.
 +  * **restrict :11** - Don't restrict anything from this IP because we haven't added any flags.
 +  * **server**
 +    * **127.127.1.1** - the “local clock” / undisciplined local clock driver (unit 1). (i.e. hypervisor source or bare metal). In practice, this tells ntpd: “treat the machine’s own hardware clock as an NTP time source.” It’s usually used only as a last‑resort fallback when no real upstream servers are available, together with a ''fudge 127.127.1.1 stratum N'' line.
 +    * **burst ** - When the server is already reachable, send a burst of packets (typically 8) each poll interval instead of just one, for better accuracy at the cost of more traffic. It has effect during normal operation, not only on startup
 +    * **iburst ** - On initial sync or after a timeout, send a quick burst of packets to get into sync faster. Once synchronized, it behaves like a normal ''server'' line again.
 +    * **prefer.** - Tell NTP to use hypervisor/bare metal clock as time source
 +  * **fudge 127.127.1.1 stratum 1** - you’re advertising your local clock as stratum‑1, i.e., as if it were as good as a GPS or atomic clock. That’s generally unsafe unless you truly mean to act as a primary reference; most deployments set this to a high stratum (e.g., 10) so it’s only used when all real sources are gone.
ntp/ntp.1681335664.txt.gz · Last modified: by bstafford