Differences

This shows you the differences between two versions of the page.

--- ntp:ntp [2026/02/04 00:21] – [AWS NTP] bstafford
+++ ntp:ntp [2026/03/07 03:59] (current) – bstafford
@@ Line 1: / Line 1: @@
 ====== NTP ======
   * There is a dedicated page for [[ntp:ntp_pools|public NTP servers]].
-  * There is a dedicated page to [[infoblox_nios:ntp_on_infoblox|Infoblox NTP]].
+  * There is a dedicated page to [[infoblox:ntp_on_infoblox|Infoblox NTP]].
   * A good overview of NTP is [[https://www.meinbergglobal.com/english/info/ntp.htm|here on the meinbergglobal page]].
@@ Line 8: / Line 8: @@
 **DO NOT** configure your system to use leap-smearing NTP servers as well as non-leap-smearing NTP servers at the same time. e.g. do not combine Google NTP with Cloudflare NTP. See [[ntp_pools#leap_smearing|here]].
-**DO NOT** configure your NTP servers in an NTP anycast scenario. This means avoid Google NTP as that is on anycast.
+**DO NOT** configure your NTP servers in an NTP anycast scenario. This means avoid Google NTP as that is on anycast. There are some use cases (e.g. large network, time is important but not critical, endpoint device can only be configured with a single NTP IP address).
 Try to use sources with a low poll time.
@@ Line 187: / Line 187: @@
 <code>$stringAsStream = [System.IO.MemoryStream]::new() $writer = [System.IO.StreamWriter]::new($stringAsStream) $writer.write("ThisIsMyKeyString") $writer.Flush() $stringAsStream.Position = 0 Get-FileHash -InputStream $stringAsStream - Algorithm xxx| Select-Object Hash</code>
+===== NTP Configuration =====
+[[https://www.ntp.org/documentation/4.2.8-series/accopt/|Official NTP Docs]] on configuration.
+[[https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2_configure_rate_limiting_access_to_an_ntp_service|Red Hat Docs on NTP Config]]
+[[https://docs.ntpsec.org/latest/ntpq.html#mrulist|Docs on mrulist]].
+Example code snipped from NTP configuration file
+<code><
+driftfile /var/lib/ntp/ntp.drift
+logfile /var/log/ntpd.log
+discard average 3 minimum 1 monitor 10.
+restrict -4 default kod limited nomodify noquery nopeer
+restrict 127.0.0.1
+restrict ::1
+server 127.127.1.1 burst iburst prefer.
+fudge 127.127.1.1 stratum 1
+~
+</code>
+  * **discard**
+    * **average** - specifies the minimum average packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 3 (23 equates to 8 seconds).
+    * **minimum** - specifies the minimum packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 1 (21 equates to 2 seconds).
+    * **monitor** - specifies the discard probability for packets once the permitted rate limits have been exceeded. The default value is 3000 seconds. This option is intended for servers that receive 1000 or more requests per second.
+  * **restrict**
+    * **-4** - Apply this rule to IPv4 only (there is usually a matching restrict -6 ... for IPv6).
+    * **default** - This is the catch-all rule for all IPv4 addresses (0.0.0.0/0) that don’t match a more specific restrict line.
+    * **kod** - Flag: When a client exceeds the rate limits set by the discard command (and limited is present), send a Kiss-of-Death (KoD) packet back to tell it to slow down, instead of just silently dropping packets.
+    * **limited** - Flag: Enforce rate limiting using the thresholds from discard .... If a client sends requests too fast (violates those limits), time service is denied for that client (and, with kod, KoDs can be sent).
+    * **nomodify** - Flag: Block configuration‑-changing control packets (e.g., ntpq/ntpdc commands that try to modify state). Info-only queries would be allowed by this flag alone, but see noquery next.
+    * **noquery**  - Flag: Block all ntpq/ntpdc queries (status, variables, etc.). Time service (normal client requests for time) is still allowed.
+    * **nopeer** - Flag: Prevent others from forming NTP peer associations with this server unless specially allowed/authenticated. This blocks unsolicited symmetric/broadcast/manycast/pool-based peering that would otherwise turn your server into a peer for them.
+  * **restrict 127.0.0.1** - Don't restrict anything from this IP because we haven't added any flags.
+  * **restrict :11** - Don't restrict anything from this IP because we haven't added any flags.
+  * **server**
+    * **127.127.1.1** - the “local clock” / undisciplined local clock driver (unit 1). (i.e. hypervisor source or bare metal). In practice, this tells ntpd: “treat the machine’s own hardware clock as an NTP time source.” It’s usually used only as a last‑resort fallback when no real upstream servers are available, together with a ''fudge 127.127.1.1 stratum N'' line.
+    * **burst ** - When the server is already reachable, send a burst of packets (typically 8) each poll interval instead of just one, for better accuracy at the cost of more traffic. It has effect during normal operation, not only on startup
+    * **iburst ** - On initial sync or after a timeout, send a quick burst of packets to get into sync faster. Once synchronized, it behaves like a normal ''server'' line again.
+    * **prefer.** - Tell NTP to use hypervisor/bare metal clock as time source
+  * **fudge 127.127.1.1 stratum 1** - you’re advertising your local clock as stratum‑1, i.e., as if it were as good as a GPS or atomic clock. That’s generally unsafe unless you truly mean to act as a primary reference; most deployments set this to a high stratum (e.g., 10) so it’s only used when all real sources are gone.