Hello All - I am raising a firewall request with my network team for *.pool.ntp.org domain. They came back asking for ip details. Though I mentioned as dynamic ip, the team is requesting to provide a range. Could you please help me with the process to identify ip address for these servers.
Thanks in advance.
Best
Madan
The NTP servers from the pool are in 0.0.0.0/0. I suspect your network team will not be happy with that.
Beat me to it, @mlichvar 
Hi @Madan, the pool uses volunteer servers from all round the world, so, while I’m sure @Ask could generate a snapshot of the IP addresses in the pool, the question isn’t really a valid one as the IPs could be (in theory) from anywhere in the world and they change as people volunteer new servers / servers go offline etc.
I’d suggest either port 123 needs to be opened or you look for a different solution.
These pages may help you decide whether the pool is for you: https://www.ntppool.org/en/use.html https://www.ntppool.org/tos.html
Thanks @mlichvar, @elljay - I already shared the UDP port details to the team. They are just asking me to provide a range of ip address to open the port for NTP. is there a way we can get this by pinging the domain in cmd prompt. Please help me here.
Hi, no - it is not possible. The list of IP addresses changes all the time. You must either open port 123 to all IP addresses or not use the NTP pool.
I think you can do one of the following:
And also ::/0!
Servers on the stratum two list generally use static IPs and are in it for the long haul, but they will still occasionally be renumbered or shut down without warning.
If you need fixed IPs, then you might want to look into:
https://publicntp.org/
or
https://www.cloudflare.com/time/
or if you are in the USA:
https://tf.nist.gov/tf-cgi/servers.cgi
Also time.apple.com servers seem static.
What you need is more competent people on your network team.
Hi Madan,
It seems that the network team is taking the wrong approach. By poking holes in the firewall, it looks that their goal is to allow all clients on the internal company network to connect with NTP servers on the Internet. This may cause surges of NTP requests from one or a handful of public IP addresses to pool members. Many pool members have restrictions built-in in the configuration about the number of packets that they allow from single IP addresses in a given time frame. The end result may be that your public company IP addresses are effectively blocked from a number of time sources.
It is far better if the network team would configure their router, or an edge server directly connected to the internet, to become an NTP time server. This time server can synchronize with the NTP pool or with a handful of fixed reliable time sources on the Internet. The clients on the internal computer network can in-turn connect with this company time server.
With this configuration, your network team does not need to poke holes in the firewall configuration for a number of IP addresses on the Internet. Therefore it is a safer solution. And we as pool members will less likely block your company’s time request packets due to packet rate violations.