Why the extra NTP servers?
-
I just checked what NTP servers my pfSense firewall is using. Here's the list:
==============================================================================
ca.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.002
-ntp1.torix.ca .PTP0. 1 u 341 512 377 21.255 +3.032 2.698
-ntp2.torix.ca .PTP0. 1 u 7 512 377 23.129 +4.394 1.809
-ntp3.torix.ca .PTP0. 1 u 207 512 377 21.242 +3.467 2.992
+time.cloudflare 10.16.12.8 3 u 460 512 377 28.954 -1.100 0.840
*gpg.n1zyy.com 213.251.128.249 2 u 15 512 377 18.183 -1.072 1.451
-dns3.switch.ca 206.108.0.131 2 u 496 512 377 47.343 -0.608 1.007
-ntp.nyy.ca .PPS. 1 u 242 512 377 42.327 -1.654 1.666
-time.srv.ualber 172.30.90.10 2 u 349 512 377 56.371 -1.093 1.656
+ns1.switch.ca 213.251.128.249 2 u 77 512 377 17.459 -1.406 1.750I have the 3 torix servers and ca.pool.ntp.org configured. Why am I seeing the others? When I run Packet Capture on the LAN side, I don't see any NTP requests to anything but pfSense. Where are they coming from?
-
Those look like the servers that are in the pool no?
-
Yeah, it appears to be the case. Does this mean pfSense does a DNS lookup to get the host names? I thought the pool worked by asking for an address and the appropriate address, from the pool, was provided. Also, what about that cloudflare on 10.16.12.8. Does the pool actually return that address?
-
BTW, those torix servers are stratum 1, which is unusual for open, public servers. They're also not far from my home and where my ISP peers with many other ISPs, also he.net. They're also located in a building I used to work in for 17 years.
-
@JKnott said in Why the extra NTP servers?:
which is unusual for open, public servers
Not really... I run a pool member stratum 1 server.. You can setup one up with PI and few extra bucks for the gps hat, etc.
When you query a pool address you will get back IPs.. Those IPs normally will have PTR setup.. So that is how the name is found.
example from your list ntp2.torix.ca
;; QUESTION SECTION: ;132.0.108.206.in-addr.arpa. IN PTR ;; ANSWER SECTION: 132.0.108.206.in-addr.arpa. 3600 IN PTR ntp2.torix.ca.
Didn't we recently go over this and distance of ntp servers? This seems really familiar to another thread, that pretty sure you were in..
While sure its better to query servers closer - in the big picture doesn't really matter.
-
Many of the stratum 1 servers I've seen listed tend to be restricted in some way. Also, I don't recall that discussion about server distance. It must have been with someone else. The only thing I can think of that might be relevant to that discussion was that, since NTP servers are supposed to be traceable back to International Atomic Time, they'd all have the same accuracy, but the precision could vary. Still, short of setting up my own GPS receiver, I don't see a better NTP server for me.
Incidentally, I was reading about that Toronto Internet Exchange where it says it started in room 604 at 151 Front St. W., in Toronto. That would put it right above my office, which was on the 5th floor. You can see that corner of the building in the photo in that article. Back in those days, I was in Capital Planning for a major telecom called "Unitel". where I planned the installation of telecom equipment in that building and elsewhere in the downtown core, including the CN Tower. When I started, the company was called CN Telecommunications, then CNCP, then Unitel, which went bust. A few years ago, I was doing some work for Allstream, before Zayo bought them.
BTW, I used to have one of those Teletype Cards in my wallet. The other side was ASCII.
-
No you were in it
https://forum.netgate.com/topic/153332/why-does-my-pfsense-dns-give-non-local-ntp-serversYeah the MAJOR players that have ntp servers that are stratum one are normally not in the "pool" ;) But any billy bob with a few bucks and the desire to do so can run a stratum 1 server ;) so yeah you will find quite a few the pool I would guess.
Like I said I run one ;)
$ ntpq ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *ntp.local.lan .PPS. 1 u 100 128 377 0.635 -0.500 0.821 ntpq>
To be honest pulling the time from gps just gets you close its the pps of the gps receiver that keeps the time accurate
-
The "pool" addresses return several IP addresses in their DNS replies. If ntpd treats the hostname as a server, only one of them is used (chosen randomly). If ntpd is told to treat the hostname as a pool, then it will use all of the returned addresses. Several versions ago, pfSense stared using the pool method automatically, since it results in more stable time keeping. Best practice is to use no less than three NTP servers, for accuracy and redundancy. With one, you have no assurance the server is accurate. With two, you can't tell which one is wrong if they don't agree. With three, you can at least have a good chance at excluding an outlier.
-
@jimp said in Why the extra NTP servers?:
Best practice is to use no less than three NTP servers, for accuracy and redundancy. With one, you have no assurance the server is accurate. With two, you can't tell which one is wrong if they don't agree. With three, you can at least have a good chance at excluding an outlier.
Yep. I have 3 stratum 1 servers and the pool. I figure that should be good enough. Also, according to what I read about multiple servers is the average is used, which results in better precision.
BTW, here's an interesting book about accurate time from the NIST:
From Sundials To Atomic Clocks