Redirect NTP Servers

Follow

Michael Bierman

• January 24, 2022 21:19
• Edited

I have a device that is going to an NTP server in Russia. Is it possible to use Firewalla to redirect all NTP queries to a server of my choosing? OR at least this NTP server specifically?

14

• 

  Firewalla

  • February 21, 2020 01:10

  It is for sure possible, will log this request down.  For now, best is to use country /region block under rules to do this.  NTP protocol will try the next entry if the previous one was blocked.  

  https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering

  3

  Comment actions Permalink
• 

  Michael Bierman

  • February 21, 2020 01:18

  Great, thanks. I thought you could apply a geo rule to multiple devices but it doesn't seem to allow that. It is either 1 device or all devices is that right?

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 21, 2020 07:33
  • Edited

  I could think of two scenarios where this might be common. NTP and DNS queries.

  I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.

  1

  Comment actions Permalink
• 

  Support Team

  • February 22, 2020 14:56

  Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.

   

  For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.

   

   

  1

  Comment actions Permalink
• 

  Michael Bierman

  • February 23, 2020 07:25

  Very cool, thank you.

  So how do I enable the DNS override in firewalla? Settings > Advanced > Network Settings? Primary, Secondary? Or both? Does this work in Simple Mode?

  0

  Comment actions Permalink
• 

  Firewalla

  • February 23, 2020 18:45

  Yes, this works in simple mode.  You can configure just a primary, or both.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 23, 2020 19:05

  Excellent. So what is the order of precedence?

  1. firewalla
  2. router
  3. manual local device configuration 
  4. ISP

  i tried setting the Router DNS to Firewalla’s local IP so that I’d have just one place to set dns but the router didn’t like that.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 24, 2020 09:01
  • Edited

  On a related note, what is the best practice?

  1. set clients’ DNS severs to point at public DNS servers like 1.1.1.1  and set Firewalla DNS to the same)
     
     
  2. set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
  3. makes no difference?

  0

  Comment actions Permalink
• 

  Firewalla

  • February 24, 2020 17:50

  Most of the time you do not need to do anything just set the default DNS and firewalla should just use it.  The Firewalla DNS settings can be used to override what's already there. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 24, 2020 18:08

  Sorry I don’t follow. My router and clients have to have DNS servers set except for clients that hard code their own DNS.

  So my question is, what should I set the router, firewalla, and clients to?

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 27, 2020 22:38

  Just wanted to follow up to see if I could get clarification on the precedence of DNS settings?

  0

  Comment actions Permalink
• 

  Firewalla

  • February 27, 2020 22:46

  Hi

  On your router, you should either leave it blank, then it will be set by your service provider;  If not, then you can pick any of the bigger ones' like 1.1.1.1 or 8.8.8.8  ... 

  Firewalla will pick up this setting and use it. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 27, 2020 22:48
  • Edited

  But my question is what takes precedence? Yes, if I leave it blank on the router, my ISPs will be used. But if I set them on Firewalla does that override that? What if I set them manually on a client? I'd like to know which "wins" :) 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • March 03, 2020 16:49

  Ping...can someone clarify DNS prescience?

  0

  Comment actions Permalink
• 

  Support Team

  • March 04, 2020 10:18

  Since legacy DNS is clear text,

  Device -> Firewalla -> Router -> ISP -> Internet

   

  Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.

   

  If DoH is used, router/ISP will not able to intercept or poison the request.

   

  0

  Comment actions Permalink
• 

  Michael Bierman

  • March 04, 2020 21:30
  • Edited

  Super helpful, thank you. Would pointing DNS at firewalla lan IP directly be the recommended practice regardless of DoH ? Seems like a simple way to configure rather than explaining all that. 

  0

  Comment actions Permalink
• 

  Support Team

  • March 05, 2020 06:40

  We don't have to recommend this as it will be automatically redirected. We believe the best experience is zero setup.

   

  Melvin

  2

  Comment actions Permalink
• 

  Joel Zimmerle

  • March 24, 2020 20:43

  Is Firewalla able to intercept DNS and redirect it on a client that is using DoH?

  0

  Comment actions Permalink
• 

  Firewalla

  • March 24, 2020 21:05

  Firewalla will intercept DNS and redirect it to DoH if you have DoH enabled.  This means you can have everything (or selected) devices in your home/office use DoH automatically without reconfiguring anything.  

  1

  Comment actions Permalink
• 

  Joel Zimmerle

  • March 24, 2020 21:22

  Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!

  1

  Comment actions Permalink
• 

  Joel Zimmerle

  • March 25, 2020 21:03
  • Edited

  From my own testing it appears firewalla can still see the hostname I’m connecting to but cannot intercept and reroute the DNS.

  1

  Comment actions Permalink
• 

  swampy2b

  • September 06, 2022 21:44

  All the comments on here are about DoH.  I would still like a feature to intercept NTP Requests to force a server of my choosing. 

  1

  Comment actions Permalink
• 

  Michael Bierman

  • September 06, 2022 21:47

  @Swampy2b did you upvote ? ;) 

  0

  Comment actions Permalink

Please sign in to leave a comment.