Mastodawn

I've been using my local DNS server to redirect systems on my local network to the local NTP server when they request commonly used NTP servers. The current list:

time.android.com        
time.apple.com          
time.asia.apple.com     
time.euro.apple.com     
time.aws.com            
sntp.brother.com        
time.cloudflare.com     
*.ntp-fireos.com
time.google.com         
time1.google.com        
time2.google.com        
time3.google.com        
time4.google.com        
time.windows.com
pool.ntp.org            
*.pool.ntp.org

Any fairly common ones I've missed?

(This post brought to you by nobody ever really implementing DHCP option 42.)

#NTP #DNS

Show thread

B'ad Samurai 🐐🇺🇦Mar 5

@jbaggs

This covers a lot of rando IOT..and Philips Hue.

#alibaba
ntp[1-4].aliyun.com

Great list!

Show thread

jbaggs Mar 5

@badsamurai Nice, thanks!

It looks like ntp[1-7].aliyun.com all have DNS records at this point, with 2-7 redirecting to ntp.aliyun.com.

No real IoT on the network here at the moment, but that's not to say someone won't plug something in.

Show thread

B'ad Samurai 🐐🇺🇦Mar 5

@jbaggs here it is… there’s a few good lists on GitHub, but I’ve used this for reference since I had to just finally block all outbound 123 on the firewall. Default block is the way.

https://gist.github.com/mutin-sa/eea1c396b1e610a2da1e5550d94b0453

List of Top Public Time Servers

List of Top Public Time Servers. GitHub Gist: instantly share code, notes, and snippets.

Gist

Show thread

jbaggs Mar 5

@badsamurai Yeah. I think I went over that list when I first put it together, now that I think about it. I should see if anything has changed since I last looked.

I completely forgot about Facebook, but their servers are pretty much completely unreachable from my home network anyway. (They keep buying up address space, and it keeps going into the firewall block list eventually.)

Show thread

B'ad Samurai 🐐🇺🇦Mar 5

@jbaggs my network seems so stable until friends and nieces visit and ask why insta, tok, x, discord, ring, and all kinds of dumb stuff just doesn’t work.

I just say, “I dunno, we live in tall trees.”

Show thread

jbaggs Mar 5

@badsamurai I've received some similar reactions. No complaints about clocks syncing though.

ETA: You made the comment about default deny, and of course that is the best policy for actually blocking things. That's not really the exercise here, so much as making a common setting people don't change redirect to a specific server when they are on my network.