This is not that strange.
GeoDNS maps resolver IP addresses to NTP servers in a country/continent zone.
It just takes one client in the US to use a resolver in Europe for this client to appear at you folks NTP server in Europe.
So in short: do not always assume that the clients country of origin are the same as the resolver country of origin.
Now, theare are still extra reasons for this to happen:
- AWS clients use de.pool.ntp.org directly instead of pool.ntp.org (unlikely)
- Bugs in the MaxMind database
- AWS uses resolvers from DE/EUROPE for clients in US (or a bug in the maxmind db)
- combination of any of them above
We wrote a technical report on GeoDNS, rev. engineering to really understand how it works.
You can download it here
But there are two things that should keep separated:
- NTP Client’s IP addresses (and their country codes mapped by maxmind)
- DNS resolver’s IP addresses ( and their country codes)
GeoDNS is a DNS server, it only sees the latter: the resolver’s IP addresses, and not the clients behind it. So say, if AWS for this event use a resolver IP address that was (wrongfully) mapped to Europe by Maxmind, then all clients behind this resolver will be served by EU/or EU-country servers, in regardless of the client country code.
In this way, having US-based NTP clients showing up in your NTP Server is not odd; it just need for these clients to use a EU or DE based resolver.
What I notice doing my measurements is that:
- Maxmind’s IP2location DB changes quite a lot from version to version.
- The NTPPool folks seem to using always the latest version.
- IP addresses not found in the maxmind db are mapped to the global zone.
So maybe that explains why you are first seeing faraway clients and you don’t see them anymore. If Maxmind DB cannot map the resolver’s IP address to a country, you end up in Global zone.
BTW, are you sure you’re not in the global zone? Check your server score at their website:
if you see a @ at zones, then you’re in the global zone.
We sort of rev. engineered GeoDNS to understand how it really works. It’s all in the tech report, but for brevity I summarize it here.
- GeoDNS get the country code from your resolver IP address, provided by MaxMind IP2location db
- It then returns you up to 4 random A/AAAA records from the country subzone.
- For example, if your IP address is mapped to DE, then you’ll be served with 4 random IPs from the
- However, if your country zone is empty, ie, has no NTP servers in it, (and there are 125, when we did the analysis – see table 2 on the tech report. Another example: South Sudan and others), you then fall back to the continent zone.
- (if GeoDNS can’t get your country , it sends you to the global zone)
Notes: country and continent zones can be quite dynamic. Either because people add/remove servers , or bc they are kicked out by the pool monitoring system. Check fig5 in the tech report