Domain rewriting

Feature Requests Closed or Out Of Scope
34

I managed to get below hack working because the NTP protocol doesnt communicate domain/hostnames.
Below would be impossible for like example HTTPS(SNI) and any other protocol using TLS .. except if you setup MITM :wink:
Considering below "limitations":

pi@ph5a:~ $ man dnsmasq
[..]
       --cname=<cname>,[<cname>,]<target>[,<TTL>]
              Return  a  CNAME  record  which indicates that <cname> is really
              <target>. There are significant limitations on  the  target;  it
              must be a DNS name which is known to dnsmasq from /etc/hosts (or
              additional hosts files), from  DHCP,  from  --interface-name  or
              from  another --cname.  If the target does not satisfy this cri‐
              teria, the whole cname is ignored. The cname must be unique, but
              it  is  permissible  to have more than one cname pointing to the
              same target. Indeed it's possible to declare multiple cnames  to
              a target in a single line, like so: --cname=cname1,cname2,target

              If the time-to-live is given, it overrides the default, which is
              zero or the value of --local-ttl. The value is a positive  inte‐
              ger and gives the time-to-live in seconds.

I first created a dnsmasq config file 99-my-settings.conf containing a local TXT DNS record definition on the Pi-hole host to make embedded dnsmasq "authoritative" for the 1.pool.ntp.org domain:

pi@ph5a:~ $ sudo tee /etc/dnsmasq.d/99-my-settings.conf <<< $'txt-record=1.pool.ntp.org,"Dummy record to become authoritative"'
txt-record=1.pool.ntp.org,"Dummy record to become authoritative"

Test syntax:

pi@ph5a:~ $ pihole-FTL --test -c /etc/dnsmasq.d/99-my-settings.conf
dnsmasq: syntax check OK.

And reloaded to apply:

pi@ph5a:~ $ sudo service pihole-FTL reload
pi@ph5a:~ $

Created a CNAME via the web GUI: time.android.com --> 1.pool.ntp.org :
http://pi.hole/admin/cname_records.php

And grabbed my laptop client to test:

dehakkelaar@laptop:~$ host -t txt 1.pool.ntp.org
1.pool.ntp.org descriptive text "Dummy record to become authoritative"

dehakkelaar@laptop:~$ host time.android.com
time.android.com is an alias for 1.pool.ntp.org.
1.pool.ntp.org has address 94.198.159.11
1.pool.ntp.org has address 185.255.55.20
1.pool.ntp.org has address 5.79.75.37
1.pool.ntp.org has address 108.61.164.200

dehakkelaar@laptop:~$ sudo ntpdate -q time.android.com
server 108.61.164.200, stratum 2, offset -0.001624, delay 0.03429
server 94.198.159.11, stratum 2, offset -0.001078, delay 0.03870
server 185.255.55.20, stratum 2, offset -0.009562, delay 0.05182
server 5.79.75.37, stratum 2, offset -0.001605, delay 0.03404
18 Apr 20:03:01 ntpdate[6084]: adjust time server 5.79.75.37 offset -0.001605 sec

But ...
why not push your own NTP server(s) to the clients via DHCP ?

pi@ph5a:~ $ pihole-FTL -- --help dhcp
Known DHCP options:
[..]
 42 ntp-server
[..]

pi@ph5a:~ $ sudo tee /etc/dnsmasq.d/99-my-settings.conf <<< $'dhcp-option=option:ntp-server,10.0.0.3'
dhcp-option=option:ntp-server,10.0.0.3

pi@ph5a:~ $ pihole-FTL --test -c /etc/dnsmasq.d/99-my-settings.conf
dnsmasq: syntax check OK.

pi@ph5a:~ $ sudo service pihole-FTL reload
pi@ph5a:~ $

pi@ph5a:~ $ pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
[..]
   ntp-server: 10.0.0.3

You could also install the ntp package on your Pi-hole host(s) and push that one via DHCP:

pi@ph5a:~ $ apt show ntp
[..]
Description: Network Time Protocol daemon and utility programs
 NTP, the Network Time Protocol, is used to keep computer clocks
 accurate by synchronizing them over the Internet or a local network,
 or by following an accurate hardware receiver that interprets GPS,
 DCF-77, NIST or similar time signals.
 .
 This package contains the NTP daemon and utility programs.  An NTP
 daemon needs to be running on each host that is to have its clock
 accuracy controlled by NTP.  The same NTP daemon is also used to
 provide NTP service to other hosts.
 .
 For more information about the NTP protocol and NTP server
 configuration and operation, install the package "ntp-doc".

Or maybe your already running an NTP service on your LAN:

pi@ph5a:~ $ sudo nmap -sU -p123 --open 10.0.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-28 16:41 CET
Nmap scan report for 10.0.0.3 (10.0.0.3)
Host is up (0.00062s latency).

PORT    STATE SERVICE
123/udp open  ntp
MAC Address: 00:11:32:xx:xx:xx (Synology Incorporated)

Nmap scan report for 10.0.0.9 (10.0.0.9)
Host is up (0.00093s latency).

PORT    STATE SERVICE
123/udp open  ntp
MAC Address: B8:27:EB:xx:xx:xx (Raspberry Pi Foundation)

Nmap scan report for 10.0.0.11 (10.0.0.11)
Host is up (0.00050s latency).

PORT    STATE         SERVICE
123/udp open|filtered ntp
MAC Address: 00:1E:0B:xx:xx:xx (Hewlett Packard)

Nmap done: 256 IP addresses (10 hosts up) scanned in 8.10 seconds

Pew ... it became a bit lengthy :wink:

1 Like