Redirect NTP Servers

Comments

27 comments

  • Avatar
    Firewalla

    It is for sure possible, will log this request down.  For now, best is to use country /region block under rules to do this.  NTP protocol will try the next entry if the previous one was blocked.  

    https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering

    3
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Great, thanks. I thought you could apply a geo rule to multiple devices but it doesn't seem to allow that. It is either 1 device or all devices is that right?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I could think of two scenarios where this might be common. NTP and DNS queries.

    I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.

    1
    Comment actions Permalink
  • Avatar
    Support Team

    Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.

     

    For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.

     

     

    2
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Very cool, thank you.

    So how do I enable the DNS override in firewalla? Settings > Advanced > Network Settings? Primary, Secondary? Or both? Does this work in Simple Mode?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, this works in simple mode.  You can configure just a primary, or both.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Excellent. So what is the order of precedence?

    1. firewalla
    2. router
    3. manual local device configuration 
    4. ISP

    i tried setting the Router DNS to Firewalla’s local IP so that I’d have just one place to set dns but the router didn’t like that.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    On a related note, what is the best practice?

    1. set clients’ DNS severs to point at public DNS servers like 1.1.1.1  and set Firewalla DNS to the same)

    2. set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
    3. makes no difference?
    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Most of the time you do not need to do anything just set the default DNS and firewalla should just use it.  The Firewalla DNS settings can be used to override what's already there. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Sorry I don’t follow. My router and clients have to have DNS servers set except for clients that hard code their own DNS.

    So my question is, what should I set the router, firewalla, and clients to?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Just wanted to follow up to see if I could get clarification on the precedence of DNS settings?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Hi

    On your router, you should either leave it blank, then it will be set by your service provider;  If not, then you can pick any of the bigger ones' like 1.1.1.1 or 8.8.8.8  ... 

    Firewalla will pick up this setting and use it. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    But my question is what takes precedence? Yes, if I leave it blank on the router, my ISPs will be used. But if I set them on Firewalla does that override that? What if I set them manually on a client? I'd like to know which "wins" :) 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Ping...can someone clarify DNS prescience?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Since legacy DNS is clear text,

    Device -> Firewalla -> Router -> ISP -> Internet

     

    Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.

     

    If DoH is used, router/ISP will not able to intercept or poison the request.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Super helpful, thank you. Would pointing DNS at firewalla lan IP directly be the recommended practice regardless of DoH ? Seems like a simple way to configure rather than explaining all that. 

    0
    Comment actions Permalink
  • Avatar
    Support Team

    We don't have to recommend this as it will be automatically redirected. We believe the best experience is zero setup.

     

    Melvin

    2
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Is Firewalla able to intercept DNS and redirect it on a client that is using DoH?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewalla will intercept DNS and redirect it to DoH if you have DoH enabled.  This means you can have everything (or selected) devices in your home/office use DoH automatically without reconfiguring anything.  

    1
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!

    1
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    From my own testing it appears firewalla can still see the hostname I’m connecting to but cannot intercept and reroute the DNS.

    1
    Comment actions Permalink
  • Avatar
    swampy2b

    All the comments on here are about DoH.  I would still like a feature to intercept NTP Requests to force a server of my choosing. 

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Swampy2b did you upvote ? ;) 

    0
    Comment actions Permalink
  • Avatar
    Help Desk

    As part of our 1.60 app release + 1.978 box release, we've added an NTP Intercept feature. Enabling NTP Intercept allows Firewalla to catch NTP requests and process them locally using standard ntp.org servers. You can read more about how to try out this feature in our release notes or in our article about NTP Intercept.

    0
    Comment actions Permalink
  • Avatar
    Dave

    @Help Desk NTP Intercept is a great step but is there any way to define a local NTP server to send the intercepted traffic to? i.e. Create an input pointing to which NTP server/pool to use under the "NTP Intercept" option with the default being "pool.ntp.com" (assuming this is what's configured). Pool.ntp.com (or any pool) can sometimes be very inaccurate. Just as many of us like Firewalla for giving us more control over our network, I feel like my network time is at the mercy of some algorithm I have no control over. And it would satisfy us NTP nuts who like to build our own Stratum 1 NTP servers with Raspberry Pi's!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We may provide a way for you to change the NTP server, but ... that may be tricky if you run NTP server inside the network, since it may start a NTP loop. 

    0
    Comment actions Permalink
  • Avatar
    Dave

    @Firewalla You could build logic into the NTP Intercept to identify if the "custom NTP server IP" defined is local (RFC 1918) and exclude it (and only it) from the intercept (Policies built-in would be in place that allows Non-RFC 1918 IP's via Port 123 to interact only with the "custom NTP server IP"). That way the NTP server could reach out to the NTP servers online for Selection and Clustering (and can be used in conjunction with a GPS-based source for time & PPS for better accuracy), while local devices requesting NTP over Port 123 would be intercepted and redirected to the "custom NTP server IP".

    0
    Comment actions Permalink

Please sign in to leave a comment.