For RPZ others than pool.ntp.org


#1

Dear All,

For my opinion it is important that all network devices in the own administrative domain have the same time. Or lets says almost the same time. Therefore we are using DNS RPZ ( restricted policy zone or also known as DNS as a firewall )

With this feature in BIND we are rewriting all DNS queries for *.pool.ntp.org to our own ntp servers. We do this also for Microsoft’s time server ( almost all PC’s have Windows OS ), Apple, Google and Ubuntu time server.

Are there any other major frequently used DNS names for ntp server ? I do not care if an exotic OS is not caught.

// Hans


#2

Why are you interfering with legitimate traffic instead of properly configuring your end devices?
And what will do you when the queries will start using DNSSEC?


#3

Hi marki,

Why are you interfering with legitimate traffic instead of properly configuring your end devices?

Because it’s easier to make a configuration on one single location instead of 500 distributed devices. And the second reason is that we ( as IT ) do not have access to all devices ( BYOD )

And it is a proper configured device. The client gets an IP address for a NTP server which is well configured and up-to-date. Which I cannot guarantee for all pool server.

And what will do you when the queries will start using DNSSEC?

What should happen ?
Actually I don’t see DNSSEC as the great all solving solution. Currently there are some unanswered questions for me. For example what happens with DHCP dynamic updates.

// Hans