Hey folks,
I’ve been thinking it would be great to add NTS support to FTL’s built-in NTP client. With Pi-hole as the central DNS hub, accurate and secure time is crucial.
Quick why NTS?
• Plain NTP (port 123) is unencrypted – attackers can spoof time responses → DNSSEC breaks, logs go haywire, caching chaos.
• NTS (RFC 8915) encrypts everything (TLS on 4460), server auth via certs → no spoofing.
• Cloudflare/Google have had it for years (time.cloudflare.com), no RTT penalty (~20ms).
Real risks:
• Bad time = Pi-hole unusable (signature timeouts).
• NTP amplification still a DDoS vector (>1Tbps possible).
Implementation idea:
[ntp.sync]
server = "time.cloudflare.com"
nts = true # New option
port = 4460
Fallback to plain NTP. Minimal effort, v6-ready.
Big security win for home setups (Pi 5 headless) and enterprise (NIST 800-53 compliance). Anyone working on this?
Cheers, xprs 