DNS issues for north-america.pool.ntp.org

dns

#1
Hi, 2018-10-30 there seem to be some issues resolving north-america.pool.ntp.org:

local DNS server:
# nslookup -type=any 3.north-america.pool.ntp.org.             
Server:         192.168.99.70
Address:        192.168.99.70#53

Non-authoritative answer:
Name:   3.north-america.pool.ntp.org
Address: 209.115.181.106
Name:   3.north-america.pool.ntp.org
Address: 208.79.89.249
Name:   3.north-america.pool.ntp.org
Address: 107.191.50.162
Name:   3.north-america.pool.ntp.org
Address: 140.82.7.153

Authoritative answers can be found from:
org     nameserver = a0.org.afilias-nst.info.
org     nameserver = b2.org.afilias-nst.org.
org     nameserver = a2.org.afilias-nst.info.
org     nameserver = b0.org.afilias-nst.org.
org     nameserver = d0.org.afilias-nst.org.
org     nameserver = c0.org.afilias-nst.info.
a0.org.afilias-nst.info internet address = 199.19.56.1
a0.org.afilias-nst.info has AAAA address 2001:500:e::1
a2.org.afilias-nst.info internet address = 199.249.112.1
a2.org.afilias-nst.info has AAAA address 2001:500:40::1
b0.org.afilias-nst.org  internet address = 199.19.54.1
b0.org.afilias-nst.org  has AAAA address 2001:500:c::1
b2.org.afilias-nst.org  internet address = 199.249.120.1
b2.org.afilias-nst.org  has AAAA address 2001:500:48::1
c0.org.afilias-nst.info internet address = 199.19.53.1
c0.org.afilias-nst.info has AAAA address 2001:500:b::1
d0.org.afilias-nst.org  internet address = 199.19.57.1
d0.org.afilias-nst.org  has AAAA address 2001:500:f::1

OK, but ntpd apparently doesn't use non-authoritative results, so I'll try the first IP address which is supposed to be authoritative:
# nslookup -type=any 3.north-america.pool.ntp.org. 199.19.56.1
Server:         199.19.56.1
Address:        199.19.56.1#53

Non-authoritative answer:
*** Can't find 3.north-america.pool.ntp.org.: No answer

Authoritative answers can be found from:
ntp.org nameserver = ns2.p20.dynect.net.
ntp.org nameserver = anyns.pch.net.
ntp.org nameserver = ns3.p20.dynect.net.
ntp.org nameserver = dns2.udel.edu.
ntp.org nameserver = ns1.p20.dynect.net.
ntp.org nameserver = ns4.p20.dynect.net.
ntp.org nameserver = ns1.everett.org.
ntp.org nameserver = dns1.udel.edu.
ns1.everett.org internet address = 66.220.13.229

That's odd: the authoritative server isn't authoritative!  I think ntpd gives up at this point.  Continuing to the newly specified IP address:
# nslookup -type=any 3.north-america.pool.ntp.org. 66.220.13.229
Server:         66.220.13.229
Address:        66.220.13.229#53

Non-authoritative answer:
*** Can't find 3.north-america.pool.ntp.org.: No answer

Authoritative answers can be found from:
pool.ntp.org    nameserver = c.ntpns.org.
pool.ntp.org    nameserver = f.ntpns.org.
pool.ntp.org    nameserver = d.ntpns.org.
pool.ntp.org    nameserver = e.ntpns.org.
pool.ntp.org    nameserver = i.ntpns.org.
pool.ntp.org    nameserver = a.ntpns.org.
pool.ntp.org    nameserver = b.ntpns.org.
pool.ntp.org    nameserver = h.ntpns.org.
pool.ntp.org    nameserver = g.ntpns.org.

Still no joy. Finally trying one of the ntpns.org nameservers:
# nslookup -type=any 3.north-america.pool.ntp.org. g.ntpns.org.
Server:         g.ntpns.org.
Address:        198.105.223.32#53

Name:   3.north-america.pool.ntp.org
Address: 23.131.160.7
Name:   3.north-america.pool.ntp.org
Address: 35.171.237.77
Name:   3.north-america.pool.ntp.org
Address: 107.181.191.189
Name:   3.north-america.pool.ntp.org
Address: 104.225.103.41

Finally, some authoritative responses.  But ntpd (4.2.8p11) apparently isn't that persistent.

#2

Those DNS responses look fine.

The response was “non-authoritative” because the query was sent to a resolver. It answered the question, and marked the response as non-authoritative because it’s a resolver and not one of the zone’s authoritative servers. That’s normal and correct behavior.

ntpd should have no problem with it.

What’s actually going wrong? What’s ntpd doing? What do its logs say? Is it failing to resolve NTP Pool addresses? Is it successfully resolving other servers? What is its configuration?


#3

If you are running a semi-recent version of NTP you can also use the ‘pool’ directive instead of ‘server’.

https://www.eecis.udel.edu/~mills/ntp/html/confopt.html#pool

That might help if you are having DNS issues or servers that keep dropping out.


#4

I’m using pool directives; ntpd running on a Linux host gives log lines:

1 Nov 02:02:28 ntpd[4775]: error resolving pool 3.north-america.pool.ntp.org: No address associated with hostname (-5)

If I put a server line in the configuration for frigg.fancube.com (one of the pool servers)
and restart ntpd, I get:

 1 Nov 02:10:33 ntpd[9393]: DNS frigg.fancube.com (A) -> 154.16.245.246

So normal server domain names are resolved correctly.

The problem with the DNS responses are that the initial (non-authoritative) response indicates
servers which are supposed to be authoritative (a0.org.afilias-nst.info etc.), but those servers
claim not to have authoritative information, referring to yet another set of servers, etc. until finally
the ntpns.org servers return useful responses.

A side-effect of adding the server line to the configuration is that now the pool addresses are
resolving. This may be a problem related to the deferred lookups in the chroot ntpd code (which
has had a number of issues).


#5

But the nslookup output doesn’t show anything wrong. There might be something wrong, but everything nslookup showed was things operating normally and correctly.

What happens if you put “pool frigg.fancube.com” or “server 3.north-america.pool.ntp.org” or “server 2.north-america.pool.ntp.org” or “pool 2.north-america.pool.ntp.org” in the configuration?

Does DNS resolution always malfunction? Was it at boot, when the clock might be wildly wrong, and networking might not be working right yet? Could you have been using a different DNS resolver at the time?


#6
Normally, I'd expect that a query to a server which is supposed to be
authoritative should return a proper answer; that's what has traditionally
happened and still happens for many queries, e.g.:

# nslookup -type=any c.mewe.com  
Server:         192.168.99.70
Address:        192.168.99.70#53

Non-authoritative answer:
Name:   c.mewe.com
Address: 52.209.84.30
Name:   c.mewe.com
Address: 18.203.210.108
Name:   c.mewe.com
Address: 52.50.72.213

Authoritative answers can be found from:
mewe.com        nameserver = ns-2046.awsdns-63.co.uk.
mewe.com        nameserver = ns-1093.awsdns-08.org.
mewe.com        nameserver = ns-196.awsdns-24.com.
mewe.com        nameserver = ns-879.awsdns-45.net.
ns-196.awsdns-24.com    internet address = 205.251.192.196
ns-879.awsdns-45.net    has AAAA address 2600:9000:5303:6f00::1
ns-1093.awsdns-08.org   internet address = 205.251.196.69
ns-1093.awsdns-08.org   has AAAA address 2600:9000:5304:4500::1
ns-2046.awsdns-63.co.uk internet address = 205.251.199.254
ns-2046.awsdns-63.co.uk has AAAA address 2600:9000:5307:fe00::1

# nslookup -type=any c.mewe.com ns-1093.awsdns-08.org
Server:         ns-1093.awsdns-08.org
Address:        205.251.196.69#53

Name:   c.mewe.com
Address: 18.203.210.108
Name:   c.mewe.com
Address: 52.209.84.30
Name:   c.mewe.com
Address: 52.50.72.213


I'd call that normal; a server initially reported as being authoritative returns
an authoritative result rather than no result.

I'm not sure that a pool directive for a regular server name makes sense,
but with that as the only server/pool directive I get failure:

1 Nov 08:45:48 ntpd[7580]: error resolving pool frigg.fancube.com: No address associated with hostname (-5)

server 3.north-america.pool.ntp.org resolves to a single IP address:

 1 Nov 08:43:37 ntpd[7037]: DNS 3.north-america.pool.ntp.org (A) -> 195.21.152.161

This happens consistently.  The local DNS resolver handles LAN host names plus a few
exceptional names and forwards everything else to 8.8.8.8.

Other machines running ntpd under NetBSD don't show any problems; this is
beginning to look like a chroot/Linux-specific issue with ntpd [rebuilding with the undocumented
options mentioned in ntp bug 2680 comment 26 fixes that].

But the DNS response auxiliary information pointing to supposedly authoritative
servers that aren't in fact authoritative looks odd to me.

Anyway, thanks for your help.

#7

Your DNS server sometimes returns a misleading authority section showing information from a parent zone.

(I think this is a ‘feature’ of BIND when it doesn’t have complete authority information cached. Newer versions don’t include unnecessary authority sections by default, so you won’t see it anymore.)

(I don’t know if any other recursive DNS servers do the same thing. None of the ones I use do.)

A client like ntpd ignores the authority section entirely, so it doesn’t matter what it says or how bizarre it is. The answer section was correct.

It’s not a typical setup – though it’s useful if a server’s IP address changes – but it’s a good test. :smile:


#8

As @mnordhoff said, it all looks normal (and the important part would be if your DNS server reports errors or the client / stub-resolver can’t get answers).

ISC have recommended using dig (or more recently drill) for DNS debugging for almost 20 years (or more?). nslookup isn’t a good tool for diagnosing DNS (or really for anything).


#9

I’m in love with ‘kdig’ it’s from the folks that develop the knot-resolver.