I have a number of IoT devices and growing. Pi-Hole helps me understand and manage their outbound traffic, and we are generally unable to modify config of the devices themselves.
I have noticed three of my devices making NTP requests to time.windows.com every 40 seconds.
Though periodic NTP queries are common, guidelines recommend not more than a few times a day to a few times per hour.
I would reduce my outbound NTP spam if PiHole could expose the OS time, and I could configure it to pihole specific domain NTP requests to the onboard provider.
I can already group my IoT devices and ban domains for them, but I think it would be more powerful if I could redirect them to LAN-provided resources.
You can map the domain time.windows.com to a local IP in /etc/hosts on the Pi and run an ntp server at that IP. Linux, Synology and others have the capability to serve time.
I dont know who is doing DHCP for your network but I recon if the DHCP service doesnt push an NTP server to its clients, the Windows boxes default to using time.windows.com for time.
You could even push an IP instead of name for NTP so it doesnt need to resolve through Pi-hole.
Ah this might work. I'll try it out. I didn't realize that if I modified hosts file on the pi that it would change what IP was resolved in the pihole DNS list.
Your not suppose to change anything on the clients.
If the DHCP service broadcasts an NTP server, the clients should accept that NTP server for time sync instead of the default time.windows.com.
If not, then they are crappy devices and should seek support at the manufacturer's.
We can wax poetically about how we wish IoT device makers would open their configs to us or follow certain best practices, but alas they don't.
The devices appear to have their NTP server hardcoded, not respecting my DHCP.
That's why I'm exploring pihole as a solution, because the devices are targetting NTP by DNS.
No I'm not sure and haven't tried that, but I'm also not using PiHole for DHCP. My EdgeRouter-X is providing DHCP and I can go configure it to provide an internal server.... but I don't know where my Echo devices would be grabbing "time.windows.com" from other than their own coded values They also make requests to things like "www.yahoo.com" at similar cadence but I blocked that traffic already.
Yeah I suspect that if no NTP server is provided through DHCP (default Pi-hole DHCP doesnt provide one), the devices default to using time.windows.com.
Use nmap on Pi-hole to scan for DHCP options.
And oc check your Edgerouter if it has an option to push NTP server(s) via DHCP.
Edgerouter does have the option, and I've updated it to explicitly provide some NIST IPs.
I'll see if this abates the traffic while I stand up an internal NTP server.
Maybe you already run an NTP service (123 UDP) on your network:
pi@ph5:~ $ sudo nmap -sU -p123 10.0.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-22 01:29 CEST
[..]
Nmap scan report for 10.0.0.3
Host is up (0.00041s latency).
PORT STATE SERVICE
123/udp open ntp
MAC Address: 00:11:32:xx:xx:xx (Synology Incorporated)
Nmap scan report for 10.0.0.9
Host is up (0.00092s latency).
PORT STATE SERVICE
123/udp open ntp
MAC Address: B8:27:EB:xx:xx:xx (Raspberry Pi Foundation)
[..]
Nmap done: 256 IP addresses (7 hosts up) scanned in 24.95 seconds
pi@ph5:~ $ sudo ntpdate -u 10.0.0.3
22 Jul 01:38:27 ntpdate[28020]: adjust time server 10.0.0.3 offset -0.001310 sec
Indeed it seems that my pi running pi-hole is already running an NTP service.
presumably, then I can just redirect requests to time.windows.com to localhost on the pihole
Sorry for not being clear.
I am pushing NTP using IP through DHCP from my EdgeRouter-X. The IoT devices do not appear to be respecting it, though I restarted them... perhaps they have some cache. I'll wait and see what happens with them tomorrow.
jfb (can't @-mention other users yet ) indicated above that if I add time.windows.com to the hosts file on my pihole that I can redirect it from there. I suspect this will have the effect of redirecting all clients. I would prefer to only do it for my IoT devices. I will test modifying the hosts file tomorrow.
Regardless of them not respecting my timeserver config, they're requesting it every 40 seconds.
The result is that, over time, nearly half my outbound requests are NTP