0.us.pool.ntp.org resolving to non NTP server

Wondering if this is the right place for this.

Is anyone else noticing that when resolving 0.us.pool.ntp.org from the NS c.ntpns.org it occasionally responds with 192.241.206.171 which does not have UDP 123 open, and reverse records resolve to gopher.fart.website. The operator of this website is aware of the issue and has actually configured his nginx config so anyone who visits 0.us.pool.ntp.org via the bad DNS entry gets redirected to some stupid youtube video. As a result of this anytime my Windows Time Service queries pool.ntp.org it gets this sketchy address and tries to pull NTP from it. This issue has been triggering IDS alarms across my organization as it is a known Tor node.

Here is my recent dig results as of 2/1/2017 at 10:03 GMT-5

dig @c.ntpns.org 0.us.pool.ntp.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> @c.ntpns.org 0.us.pool.ntp.org
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11632
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;0.us.pool.ntp.org. IN A

;; ANSWER SECTION:
0.us.pool.ntp.org. 150 IN A 107.151.174.199
0.us.pool.ntp.org. 150 IN A 64.71.152.181
0.us.pool.ntp.org. 150 IN A 192.241.206.171
0.us.pool.ntp.org. 150 IN A 38.229.71.1

;; Query time: 110 msec
;; SERVER: 85.214.25.217#53(85.214.25.217)
;; WHEN: Wed Feb 1 10:03:17 2017
;; MSG SIZE rcvd: 167

There are probably other people running an NTP server and Tor relay on the same IP. If you whitelist such traffic in your IDS you won’t get any more alarms…

It seems to be replying to NTP:
http://www.pool.ntp.org/scores/192.241.206.171

1 Like

Thanks for the responses guys. I’ve just whitelisted it. Just thought it was strange that reverse queries weren’t resolving to the hostname under http://www.pool.ntp.org/scores/192.241.206.171 (chfoo-d1.mooo.com) but instead were resolving to gopher.fart.website.

There’s no particular reason they should match. chfoo-d1.mooo.com is a hostname that happened to point to that IP address at the moment it was added to the NTP Pool system. (And still does, too.) It’s common for IP addresses, especially IPv4 addresses, used as servers to have numerous forward DNS records, and one reverse DNS record. They can’t all match.

None of my NTP IP reverse DNS records match the hostnames listed on the NTP Pool site. Sometimes it’s for boring technical reasons; sometimes it’s because i’ve renamed or reorganized services since adding them; sometimes it’s because the IP is shared for multiple things, and i prefer a different reverse DNS record.

For that server, i guess the operator thinks gopher farts are funny. But maybe they didn’t own the fart domain when they added that server to the Pool.

1 Like