Redirect NTP Servers
I have a device that is going to an NTP server in Russia. Is it possible to use Firewalla to redirect all NTP queries to a server of my choosing? OR at least this NTP server specifically?
-
It is for sure possible, will log this request down. For now, best is to use country /region block under rules to do this. NTP protocol will try the next entry if the previous one was blocked.
https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering
-
I could think of two scenarios where this might be common. NTP and DNS queries.
I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.
-
Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.
For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.
-
On a related note, what is the best practice?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
- set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
- makes no difference?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
-
Since legacy DNS is clear text,
Device -> Firewalla -> Router -> ISP -> Internet
Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.
If DoH is used, router/ISP will not able to intercept or poison the request.
-
Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!
-
As part of our 1.60 app release + 1.978 box release, we've added an NTP Intercept feature. Enabling NTP Intercept allows Firewalla to catch NTP requests and process them locally using standard ntp.org servers. You can read more about how to try out this feature in our release notes or in our article about NTP Intercept.
-
@Help Desk NTP Intercept is a great step but is there any way to define a local NTP server to send the intercepted traffic to? i.e. Create an input pointing to which NTP server/pool to use under the "NTP Intercept" option with the default being "pool.ntp.com" (assuming this is what's configured). Pool.ntp.com (or any pool) can sometimes be very inaccurate. Just as many of us like Firewalla for giving us more control over our network, I feel like my network time is at the mercy of some algorithm I have no control over. And it would satisfy us NTP nuts who like to build our own Stratum 1 NTP servers with Raspberry Pi's!
-
@Firewalla You could build logic into the NTP Intercept to identify if the "custom NTP server IP" defined is local (RFC 1918) and exclude it (and only it) from the intercept (Policies built-in would be in place that allows Non-RFC 1918 IP's via Port 123 to interact only with the "custom NTP server IP"). That way the NTP server could reach out to the NTP servers online for Selection and Clustering (and can be used in conjunction with a GPS-based source for time & PPS for better accuracy), while local devices requesting NTP over Port 123 would be intercepted and redirected to the "custom NTP server IP".
Please sign in to leave a comment.
Comments
27 comments