Why is Cloudflare in the pool?

I would suggest a TTL of 900~1800, that is more then enough, there is no need to change more often.

In my opinion the goal of the NTP-DNS-system is to take wrong/bad tickers out, but not many clients request all the time.
As you always present 4 IP’s, the chance to get all 4 bad is not great. Sure it can happen.

There is no point to set it much lower unless it’s feeding stupid systems that poll every 10 seconds and abuse the system.
Heck my server ignores systems that poll too much.

Just improve the DNS so it will take out systems that are proven to be unreliable too often that they are less presented.

Put a counter on their ‘mistakes’ and make a stepping-system that take them out or put them back.

Like: Wrong ticker = out instantly => but can return after 10 right ticks.
Unreachable = step down, not taken out, testing 5 more times, nothing => out but will return once 5 reachable tested ok.

With such an approach it doesn’t need to be that low on TTL and you save a lot of DNS-traffic.

Just my opinion.

Bas.

From the NTP client’s perspective that is just fine. However, from the NTP server’s perspective it isn’t so good. Imagine how many clients are using Google’s DNS cache (8.8.8.8) or Cloudflare’s (1.1.1.1). Not counting the ISP’s DNS servers, where most if not all the ADSL modems on the WAN side configured to use the ISP’s DNS servers, and on the LAN side act as DNS cache for all the clients ready to rely on the DNS option in the DHCP configuration. It isn’t surprising that there are short term big variations in the NTP server load. From the NTP server’s perspective the shortest DNS TTL is the best.

To delay the decision on the appropriate DNS TTL value, I suggest the following: The TTL should be a startup, or even a dynamic configuration parameter in the code allowing to easily experiment with different TTL values on individual geo DNS server instant, and collect information on the DNS server load as well the smoothness of the NTP server load.

You forget something.

The DNS-cache in modems/routers mostly ignore those low TTL-settings.
Also most OS’ses like Windows and Ubtuntu/Mint do not respect low TTL if it still responds.

Such a low TTL will do nothing but put a bigger load on the DNS-servers out there, all of them and especially on @Ask his DNS-servers as they are questioned all the time.

E.g. if you set a TTL of 900, a DNS will not query Ask his DNS for 15 minutes if there are changes, and that is fine, as others do as TTL is just a timer.
It means that if 900 DNS-servers all ask after 1+ second, the load on Ask is 1 request per sec.
If you set 90, the 900 DNS-servers will each ask 10 requests per sec.
If you set it to 9, it will be 100 requests per second.

Ofcourse it’s not that simplistic. However, the networks of the clients that connect to these 900 DNS-servers can be many, but they don’t request that often as they request minpoll 4~6, that is more then 15~30 minutes.

And in chrony you can ignore an abusive polling client if it polls to much from the same network.

Then there is the problem of DHCP, Linux Ubuntu/Mint do not use the pool if the router (Fritzbox does) gives it’s own timeserver to the internal network, all DHCP-clients will use that and only do fallback on the pool if the modem/router doesn’t support NTP.

There is really no reason to put TTL that low, it will only overload DNS’ses.

BTW, I just checked what Ask has set, it’s right in the middle of my suggestion :grin:

------------
    QUESTIONS:
	pool.ntp.org, type = CNAME, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  pool.ntp.org
	origin = c.ntpns.org
	mail addr = hostmaster.pool.ntp.org
	serial = 1656691328
	refresh = 5400
	retry = 5400
	expire = 1209600
	minimum = 3600
	ttl = 1500
    ADDITIONAL RECORDS:
------------

What you’re seeing there is not the TTL of the A or AAAA records, the actual TTL of these records is 150 seconds

nslookup -debug 2.pool.ntp.org

[trim]
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 4,  authority records = 0,  additional = 0

    QUESTIONS:
        2.pool.ntp.org, type = A, class = IN
    ANSWERS:
    ->  2.pool.ntp.org
        internet address = 73.239.136.185
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        internet address = 162.19.148.81
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        internet address = 178.33.101.188
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        internet address = 192.46.210.39
        ttl = 150 (2 mins 30 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 4,  authority records = 0,  additional = 0

    QUESTIONS:
        2.pool.ntp.org, type = AAAA, class = IN
    ANSWERS:
    ->  2.pool.ntp.org
        AAAA IPv6 address = 2601:603:b7f:fec0:face:face:face:face
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        AAAA IPv6 address = 2a01:4f8:140:1321::2
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        AAAA IPv6 address = 2a02:8106:67:6400::2
        ttl = 150 (2 mins 30 secs)
    ->  2.pool.ntp.org
        AAAA IPv6 address = 2a01:4f8:202:1002:1111:1111:1cc:1
        ttl = 150 (2 mins 30 secs)

2 Likes