Add NTP server, cache + intercept

MPK · July 21, 2020, 10:38pm

I have a number of IoT devices and growing. Pi-Hole helps me understand and manage their outbound traffic, and we are generally unable to modify config of the devices themselves.

I have noticed three of my devices making NTP requests to time.windows.com every 40 seconds.
Though periodic NTP queries are common, guidelines recommend not more than a few times a day to a few times per hour.

I would reduce my outbound NTP spam if PiHole could expose the OS time, and I could configure it to pihole specific domain NTP requests to the onboard provider.
I can already group my IoT devices and ban domains for them, but I think it would be more powerful if I could redirect them to LAN-provided resources.

jfb · July 21, 2020, 10:43pm

You can map the domain time.windows.com to a local IP in /etc/hosts on the Pi and run an ntp server at that IP. Linux, Synology and others have the capability to serve time.

deHakkelaar · July 21, 2020, 10:58pm

I dont know who is doing DHCP for your network but I recon if the DHCP service doesnt push an NTP server to its clients, the Windows boxes default to using time.windows.com for time.
You could even push an IP instead of name for NTP so it doesnt need to resolve through Pi-hole.

MPK · July 21, 2020, 11:05pm

These are IoT devices that I can't readily configure for NTP, AFAICT. It appears to be hardcoded in the device to "time.windows.com"

MPK · July 21, 2020, 11:07pm

Ah this might work. I'll try it out. I didn't realize that if I modified hosts file on the pi that it would change what IP was resolved in the pihole DNS list.

deHakkelaar · July 21, 2020, 11:08pm

Your not suppose to change anything on the clients.
If the DHCP service broadcasts an NTP server, the clients should accept that NTP server for time sync instead of the default time.windows.com.
If not, then they are crappy devices and should seek support at the manufacturer's.

MPK · July 21, 2020, 11:10pm

We can wax poetically about how we wish IoT device makers would open their configs to us or follow certain best practices, but alas they don't.
The devices appear to have their NTP server hardcoded, not respecting my DHCP.
That's why I'm exploring pihole as a solution, because the devices are targetting NTP by DNS.

deHakkelaar · July 21, 2020, 11:11pm

Are you sure, how have you determined ?
Have you tried:

MPK · July 21, 2020, 11:17pm

No I'm not sure and haven't tried that, but I'm also not using PiHole for DHCP. My EdgeRouter-X is providing DHCP and I can go configure it to provide an internal server.... but I don't know where my Echo devices would be grabbing "time.windows.com" from other than their own coded values They also make requests to things like "www.yahoo.com" at similar cadence but I blocked that traffic already.

deHakkelaar · July 21, 2020, 11:20pm

Yeah I suspect that if no NTP server is provided through DHCP (default Pi-hole DHCP doesnt provide one), the devices default to using time.windows.com.
Use nmap on Pi-hole to scan for DHCP options.
And oc check your Edgerouter if it has an option to push NTP server(s) via DHCP.

MPK · July 21, 2020, 11:25pm

Edgerouter does have the option, and I've updated it to explicitly provide some NIST IPs.
I'll see if this abates the traffic while I stand up an internal NTP server.

deHakkelaar · July 21, 2020, 11:34pm

Maybe you already run an NTP service (123 UDP) on your network:

pi@ph5:~ $ sudo nmap -sU -p123 10.0.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-22 01:29 CEST
[..]
Nmap scan report for 10.0.0.3
Host is up (0.00041s latency).

PORT    STATE SERVICE
123/udp open  ntp
MAC Address: 00:11:32:xx:xx:xx (Synology Incorporated)

Nmap scan report for 10.0.0.9
Host is up (0.00092s latency).

PORT    STATE SERVICE
123/udp open  ntp
MAC Address: B8:27:EB:xx:xx:xx (Raspberry Pi Foundation)
[..]
Nmap done: 256 IP addresses (7 hosts up) scanned in 24.95 seconds

pi@ph5:~ $ sudo ntpdate -u 10.0.0.3
22 Jul 01:38:27 ntpdate[28020]: adjust time server 10.0.0.3 offset -0.001310 sec

MPK · July 21, 2020, 11:46pm

Indeed it seems that my pi running pi-hole is already running an NTP service.
presumably, then I can just redirect requests to time.windows.com to localhost on the pihole

deHakkelaar · July 21, 2020, 11:52pm

Is that a question ?
You know my opinion, try push NTP IP (not name) through DHCP.

MPK · July 21, 2020, 11:58pm

Sorry for not being clear.
I am pushing NTP using IP through DHCP from my EdgeRouter-X. The IoT devices do not appear to be respecting it, though I restarted them... perhaps they have some cache. I'll wait and see what happens with them tomorrow.

jfb (can't @-mention other users yet ) indicated above that if I add time.windows.com to the hosts file on my pihole that I can redirect it from there. I suspect this will have the effect of redirecting all clients. I would prefer to only do it for my IoT devices. I will test modifying the hosts file tomorrow.

deHakkelaar · July 22, 2020, 12:00am

Yes, the devices need to renew their DHCP lease for the changes to propagate.
Power cycling them is on of the options to renew the lease.

deHakkelaar · July 22, 2020, 12:04am

Normal devices honer the DHCP options received.
Normal non M$ devices dont query time.windows.com for time

MPK · July 22, 2020, 12:07am

They're not M$ devices. They're Alexa-enabled IoT devices. Specifically they're OneLink Safe and Sound smoke detectors.

deHakkelaar · July 22, 2020, 12:09am

Thats a sad implementation by Alexa using M$'s time servers.
They have huge public NTP pools available to them on the net as alternative.

EDIT: and more tracking opportunities for M$.

MPK · July 22, 2020, 12:20am

Regardless of them not respecting my timeserver config, they're requesting it every 40 seconds.
The result is that, over time, nearly half my outbound requests are NTP