Why does my pfsense DNS give non-local NTP servers



  • I have my DNS setup as Unbound forwarding with the following DNS Servers:
    DNS server(s)
    127.0.0.1
    2606:4700:4700::1001
    1.0.0.1
    2606:4700:4700::1111
    1.1.1.1
    2001:4860:4860::8844
    8.8.4.4

    I am in the US, but when I do a nslookup of 2.pfsense.pool.ntp.org I get ntp servers mostly from Europe, but also Tokyo. If I nslookup using an external DNS I get US NTP servers.

    PS C:\Users\rcoat> nslookup 2.pfsense.pool.ntp.org
    Server:  pfSense.hidden.com
    Address:  10.23.10.1
    
    Non-authoritative answer:
    Name:    2.pfsense.pool.ntp.org
    Addresses:  2a01:8900::aaaa
              2a02:a00:1009:6202::123
              2a06:82c2:0:1135::
              2a00:1080:80d:201::d:1
              124.108.20.1
              151.80.211.8
              129.70.132.33
              195.22.17.7
    
    PS C:\Users\rcoat> nslookup 2.pfsense.pool.ntp.org 8.8.8.8
    Server:  dns.google
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    2.pfsense.pool.ntp.org
    Addresses:  2600:1f16:7a3:8a22:a922:8e9c:be3:992a
              2620:6:2000:104::48
              2600:2600::199
              2a0d:5600:33:b::1
              185.117.82.70
              158.69.248.26
              85.220.190.246
              116.202.64.148
    
    PS C:\Users\rcoat> nslookup 2.pfsense.pool.ntp.org 1.1.1.1
    Server:  one.one.one.one
    Address:  1.1.1.1
    
    Non-authoritative answer:
    Name:    2.pfsense.pool.ntp.org
    Addresses:  2600:3c02::f03c:91ff:fe84:3cb5
              2604:a880:400:d0::8a0:a001
              2600:3c02:e000:bc::230
              2001:19f0:6001:306f:ec4:7aff:fe8f:66ec
              204.93.207.12
              66.207.226.14
              216.229.0.49
              44.190.6.254
    

  • Netgate Administrator

    Unbound is forwarding from your WAN directly? Not via a VPN etc?

    Since it's just forwarding to the same servers I would expect the same result. Though Unbound can alter the queries. Forwarding using DoT for example.

    Steve



  • @stephenw10 it is directly via Wan as I don’t have a VPN set up.

    My only guess is that maybe the pfSense had cached a prior nslookup. I did notice that over time I get different addresses for the NTP servers.

    I am not sure what the process that ntp.org is using to provide localized servers but I am starting to think it is a problem on their end.


  • LAYER 8 Global Moderator

    Your using the global pool, if you want to use a regional pool you should change the fqdn..

    https://www.pool.ntp.org/zone/north-america

    pfsense has their own vendor fqdn, not sure what is all included in that - prob just points to global. Not sure if they have setup regional for their vendor fqdn.. Not sure if you can? When you request your vendor fqdn, there is a section for zones that your clients will be doing queries from - but pfsense is for sure global.

    When you forward to something like 1.1.1.1 or 8.8.8.8 its anycast and global - its possible you get an answer from a different region, etc.

    To be honest, its best if you are worried about where the ntp sits - to call out the ones specific you want to use vs a pool..

    http://support.ntp.org/bin/view/Servers/WebHome

    I run a stratum 1 in the north-america and us pools, but I get hit all the time from IPs all over the globe - because you automatically fall into the global pool..



  • @johnpoz said in Why does my pfsense DNS give non-local NTP servers:

    Your using the global pool, if you want to use a regional pool you should change the fqdn..
    https://www.pool.ntp.org/zone/north-america

    I thought they used geolocation to provide regional servers.

    From How do I use pool.ntp.org?
    "Looking up pool.ntp.org (or 0.pool.ntp.org, 1.pool.ntp.org, etc) will usually return IP addresses for servers in or close to your country. For most users this will give the best results."

    When I checked with x.pool.ntp.org, I got servers mostly in Eastern Canada.


  • LAYER 8 Global Moderator

    Yeah should work that way... But when you forward to some anycast dns.. You have no idea where your at.. you could be hitting something close - which you should... But you can never really be sure, and you can run into caching issues.

    You say mostly - were all of them in eastern CA? Also geoip for sure is not a 100% accurate that is for damn sure ;)

    The global pool could return something from anywhere, its far from exact..

    And then again you could have people putting their ntp servers in the wrong pool... I would take one of the IPs you get and see what pool they are in..

    ;pool.ntp.org.                  IN      A                        
                                                                     
    ;; ANSWER SECTION:                                               
    pool.ntp.org.           3159    IN      A       23.131.160.7     
    pool.ntp.org.           3159    IN      A       65.19.142.137    
    pool.ntp.org.           3159    IN      A       12.167.151.1     
    pool.ntp.org.           3159    IN      A       129.250.35.251   
                                                                     
    

    So the first 3 show up in the NA pool

    But that last one - look at all the pools its in..
    129.250.35.251
    https://www.ntppool.org/scores/129.250.35.251

    Account: Jared Mauch (#35brp2v)
    Zones: @ asia au de europe fr jp nl north-america uk us

    WTF dude ;) How is your IP in all those pools? If I look up that IP in maxmind says its in Dallas, TX ;) So why would it be in all those pools for?

    Its far from exact science for sure - with all the variables that come into play... What I can say is if your worried about where the ntp actually sits, then use specific ones that you know where they are ;)

    When you use a pool, your going to be talking to multiple IPs, ntp should use the better ones (normally closer to you) but does it really matter? The latency from you to the ntp server is taken into account while adjusting the time, etc.

    If I ping that IP
    Pinging 129.250.35.251 with 32 bytes of data:
    Reply from 129.250.35.251: bytes=32 time=19ms TTL=56
    Reply from 129.250.35.251: bytes=32 time=13ms TTL=56
    Reply from 129.250.35.251: bytes=32 time=10ms TTL=56
    Reply from 129.250.35.251: bytes=32 time=9ms TTL=56

    Its like 9 ms away from me in Chicagoland - it sure and the F is not in asia or au, germany - no.. etc. etc.. ;)

    9ms seems pretty short for it to even be in dallas ;) From chicago to dallas should be more like 25ish ms..

    from a trace to that IP.. looks to be in chicagoland to me

     9    10 ms    17 ms    11 ms  ae-46.a01.chcgil09.us.bb.gin.ntt.net [129.250.195.141]
     10    11 ms     9 ms    10 ms  y.ns.gin.ntt.net [129.250.35.251]
    

    So maxmind isn't freaking accurate, says its in dallas tx...

    here I just asked google 8.8.8.8

    ;pool.ntp.org.                  IN      A
    
    ;; ANSWER SECTION:
    pool.ntp.org.           80      IN      A       195.113.20.2
    pool.ntp.org.           80      IN      A       50.205.244.39
    pool.ntp.org.           80      IN      A       213.206.165.21
    pool.ntp.org.           80      IN      A       84.16.67.12
    
    ;; Query time: 30 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    

    that 195 address is in cz and europe pools
    https://www.ntppool.org/scores/195.113.20.2

    if I ping it - yeah sure not in the US or NA even.
    $ ping 195.113.20.2

    Pinging 195.113.20.2 with 32 bytes of data:
    Reply from 195.113.20.2: bytes=32 time=124ms TTL=47
    Reply from 195.113.20.2: bytes=32 time=123ms TTL=47

    geoip for it says its in cz... So why am I getting that back when asking google dns.. ;)

    that 213.206.165.21 is in the de and europe zones..
    https://www.ntppool.org/scores/213.206.165.21



  • @johnpoz

    This time I got a couple in western Canada, but no idea where the other 2 are.

    host 0.pool.ntp.org
    0.pool.ntp.org has address 68.69.221.61
    0.pool.ntp.org has address 216.232.132.77
    0.pool.ntp.org has address 207.34.48.31
    0.pool.ntp.org has address 144.217.4.129

    host 68.69.221.61
    61.221.69.68.in-addr.arpa domain name pointer 68-69-221-61.nbfr.hsdb.sasknet.sk.ca.
    host 216.232.132.77
    77.132.232.216.in-addr.arpa domain name pointer s216-232-132-77.bc.hsia.telus.net.
    host 207.34.48.31
    31.48.34.207.in-addr.arpa domain name pointer backoffice-1.incentre.net.
    host 144.217.4.129
    129.4.217.144.in-addr.arpa domain name pointer ca.irc.funfile.org.

    Other pools return mostly different servers. I suppose I should trace route some of those that I don't know the location of.

    Also, I often see IPv6 addresses. Regardless, since all NTP servers are supposed to trace back to International Atomic Time, they should all have the same accuracy, though the precision may vary.


  • LAYER 8 Global Moderator

    All 4 of those IPs are listed in the ca north-america pools.. So if set correctly they should be somewhere in NA, if not just CA..

    The point about time is valid, the servers should all be correct.. Just a matter of precision.. It really makes no difference if your ntp server is 1 mile from you or 1000..

    Again ntp takes into account the latency in setting your time, etc.

    It just comes down to efficiency, you shouldn't really set time to something on the other side of the globe, if there is server in your region, etc.

    But with the variables at play, you can never really be sure where some ntp server is when doing a dns query to a pool.. I showed you perfect examples of where server in the wrong pools to start with, and the geoip stuff not being all that perfect.. And then using a anycast dns that you have no idea who was doing a query and xyz got cached from, even if regional, etc. etc..

    So in the big picture doesn't matter, but again if your concerned that pool might return something outside your region - don't use a pool and point directly to specific ntp servers that are open to the public in your region. The lists I linked to list where those stratum 1 and 2 servers are located. So you can pick some that are close to you, and are open for you to query.

    Or if your into it - run your own.. Get a pi, get a gps hat, some tinker time and just run your own stratum 1 server locally ;)

    ntpq> pe
         remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
    *ntp.local.lan   .PPS.            1 u   40   64  377    0.635   -1.178   0.247
    


  • @johnpoz said in Why does my pfsense DNS give non-local NTP servers:

    So if set correctly they should be somewhere in NA, if not just CA..

    Given all the bandwidth between the 2 countries, I have to wonder how much difference it would make. Also, if I wanted something local, I could specify a couple of servers at the University of Toronto. They are tick.utoronto.ca and tock.utoronto.ca.

    Incidentally, last year I was working on a project where the customer had a couple of GPS receiver/NTP servers at different locations.

    Also, I came across an interesting book for those curious about time, etc.. It's From Sundials To Atomic Clocks, published by the NIST.


  • LAYER 8 Global Moderator

    Yup exactly - if you were worried about how far away your ntp was, then setting those tick and tock would be fine.



  • @johnpoz said in Why does my pfsense DNS give non-local NTP servers:

    Your using the global pool, if you want to use a regional pool you should change the fqdn..

    https://www.pool.ntp.org/zone/north-america

    pfsense has their own vendor fqdn, not sure what is all included in that - prob just points to global. Not sure if they have setup regional for their vendor fqdn.. Not sure if you can? When you request your vendor fqdn, there is a section for zones that your clients will be doing queries from - but pfsense is for sure global.

    When you forward to something like 1.1.1.1 or 8.8.8.8 its anycast and global - its possible you get an answer from a different region, etc.

    To be honest, its best if you are worried about where the ntp sits - to call out the ones specific you want to use vs a pool..

    http://support.ntp.org/bin/view/Servers/WebHome

    I run a stratum 1 in the north-america and us pools, but I get hit all the time from IPs all over the globe - because you automatically fall into the global pool..

    What I did was keep the global, 2.pfsense.pool.ntp.org and then added 2.us.pool.ntp.org and 2.north-america.pool.ntp.org to my list of time server.

    I figured with the 2 localized pools the ntpd would figure itself out.


  • LAYER 8 Global Moderator

    Again - but as in one of my examples... That one IP is in pools its not suppose to be in..

    But your right ntp will figure it out and use the one it calculates to best sync too.. Prob little point to just adding more pools, if your concern is where the ntp servers might be located.



  • @johnpoz

    I just came across some Toronto based stratum 1 NTP servers at TorIX. TorIX is located in a building that I worked in for 17 years. More recently, I did some work in there for Freedom Mobile, a couple of years ago.

    Toronto Internet Exchange



  • @JKnott

    I now have a stratum 2¹ server on my pfSense firewall. One thing I've noticed since switching from pool.ntp.org, is that the clock on my computer appears in closer agreement with a WWVB radio clock I have. When I was using pool.ntp.org, my computer seemed to lag the WWVB clock by a half second or so. Now it appears the same, at least as close as I can tell by eye.

    1. pool.ntp.org provides stratum 2, which means pfSense provided stratum 3. TorIX provides stratum 1, so pfSense can be stratum 2.

Log in to reply