Add NTP server, cache + intercept

I have a number of IoT devices and growing. Pi-Hole helps me understand and manage their outbound traffic, and we are generally unable to modify config of the devices themselves.

I have noticed three of my devices making NTP requests to every 40 seconds.
Though periodic NTP queries are common, guidelines recommend not more than a few times a day to a few times per hour.

I would reduce my outbound NTP spam if PiHole could expose the OS time, and I could configure it to pihole specific domain NTP requests to the onboard provider.
I can already group my IoT devices and ban domains for them, but I think it would be more powerful if I could redirect them to LAN-provided resources.

You can map the domain to a local IP in /etc/hosts on the Pi and run an ntp server at that IP. Linux, Synology and others have the capability to serve time.

I dont know who is doing DHCP for your network but I recon if the DHCP service doesnt push an NTP server to its clients, the Windows boxes default to using for time.
You could even push an IP instead of name for NTP so it doesnt need to resolve through Pi-hole.

These are IoT devices that I can't readily configure for NTP, AFAICT. It appears to be hardcoded in the device to ""

Ah this might work. I'll try it out. I didn't realize that if I modified hosts file on the pi that it would change what IP was resolved in the pihole DNS list.

Your not suppose to change anything on the clients.
If the DHCP service broadcasts an NTP server, the clients should accept that NTP server for time sync instead of the default
If not, then they are crappy devices and should seek support at the manufacturer's.

We can wax poetically about how we wish IoT device makers would open their configs to us or follow certain best practices, but alas they don't.
The devices appear to have their NTP server hardcoded, not respecting my DHCP.
That's why I'm exploring pihole as a solution, because the devices are targetting NTP by DNS.

Are you sure, how have you determined ?
Have you tried:

No I'm not sure and haven't tried that, but I'm also not using PiHole for DHCP. My EdgeRouter-X is providing DHCP and I can go configure it to provide an internal server.... but I don't know where my Echo devices would be grabbing "" from other than their own coded values :slight_smile: They also make requests to things like "" at similar cadence but I blocked that traffic already.

1 Like

Yeah I suspect that if no NTP server is provided through DHCP (default Pi-hole DHCP doesnt provide one), the devices default to using
Use nmap on Pi-hole to scan for DHCP options.
And oc check your Edgerouter if it has an option to push NTP server(s) via DHCP.

Edgerouter does have the option, and I've updated it to explicitly provide some NIST IPs.
I'll see if this abates the traffic while I stand up an internal NTP server.

Maybe you already run an NTP service (123 UDP) on your network:

pi@ph5:~ $ sudo nmap -sU -p123
Starting Nmap 7.70 ( ) at 2020-07-22 01:29 CEST
Nmap scan report for
Host is up (0.00041s latency).

123/udp open  ntp
MAC Address: 00:11:32:xx:xx:xx (Synology Incorporated)

Nmap scan report for
Host is up (0.00092s latency).

123/udp open  ntp
MAC Address: B8:27:EB:xx:xx:xx (Raspberry Pi Foundation)
Nmap done: 256 IP addresses (7 hosts up) scanned in 24.95 seconds

pi@ph5:~ $ sudo ntpdate -u
22 Jul 01:38:27 ntpdate[28020]: adjust time server offset -0.001310 sec

Indeed it seems that my pi running pi-hole is already running an NTP service.
presumably, then I can just redirect requests to to localhost on the pihole

Is that a question ?
You know my opinion, try push NTP IP (not name) through DHCP.

Sorry for not being clear.
I am pushing NTP using IP through DHCP from my EdgeRouter-X. The IoT devices do not appear to be respecting it, though I restarted them... perhaps they have some cache. I'll wait and see what happens with them tomorrow.

jfb (can't @-mention other users yet :slight_smile: ) indicated above that if I add to the hosts file on my pihole that I can redirect it from there. I suspect this will have the effect of redirecting all clients. I would prefer to only do it for my IoT devices. I will test modifying the hosts file tomorrow.

Yes, the devices need to renew their DHCP lease for the changes to propagate.
Power cycling them is on of the options to renew the lease.

Normal devices honer the DHCP options received.
Normal non M$ devices dont query for time :wink:

They're not M$ devices. They're Alexa-enabled IoT devices. Specifically they're OneLink Safe and Sound smoke detectors.

Thats a sad implementation by Alexa using M$'s time servers.
They have huge public NTP pools available to them on the net as alternative.

EDIT: and more tracking opportunities for M$.

Regardless of them not respecting my timeserver config, they're requesting it every 40 seconds.
The result is that, over time, nearly half my outbound requests are NTP :smiley:

1 Like