Pi-hole thousands of requests to NTP servers

Valiceemo · March 4, 2020, 6:35pm

I've noticed that my pihole is making thousands of queries to NTP servers.
Any ideas why it would do this and is it normal?

Mar  4 17:51:36 dnsmasq[13568]: query[A] 3.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:51:36 dnsmasq[13568]: config 3.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:51:36 dnsmasq[13568]: query[AAAA] 3.debian.pool.ntp.org from 127.0.0.1Mar  4 17:51:36 dnsmasq[13568]: config 3.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:51:59 dnsmasq[13568]: query[A] 1.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:51:59 dnsmasq[13568]: config 1.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:51:59 dnsmasq[13568]: query[AAAA] 1.debian.pool.ntp.org from 127.0.0.1Mar  4 17:51:59 dnsmasq[13568]: config 1.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:52:04 dnsmasq[13568]: query[A] 0.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:52:04 dnsmasq[13568]: config 0.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:52:04 dnsmasq[13568]: query[AAAA] 0.debian.pool.ntp.org from 127.0.0.1Mar  4 17:52:04 dnsmasq[13568]: config 0.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:52:13 dnsmasq[13568]: query[A] 2.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:52:13 dnsmasq[13568]: config 2.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:52:13 dnsmasq[13568]: query[AAAA] 2.debian.pool.ntp.org from 127.0.0.1Mar  4 17:52:13 dnsmasq[13568]: config 2.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:52:40 dnsmasq[13568]: query[A] 3.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:52:40 dnsmasq[13568]: config 3.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:52:40 dnsmasq[13568]: query[AAAA] 3.debian.pool.ntp.org from 127.0.0.1Mar  4 17:52:40 dnsmasq[13568]: config 3.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:53:04 dnsmasq[13568]: query[A] 1.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:53:04 dnsmasq[13568]: config 1.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:53:04 dnsmasq[13568]: query[AAAA] 1.debian.pool.ntp.org from 127.0.0.1Mar  4 17:53:04 dnsmasq[13568]: config 1.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:53:10 dnsmasq[13568]: query[A] 0.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:53:10 dnsmasq[13568]: config 0.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:53:10 dnsmasq[13568]: query[AAAA] 0.debian.pool.ntp.org from 127.0.0.1Mar  4 17:53:10 dnsmasq[13568]: config 0.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:53:18 dnsmasq[13568]: query[A] 2.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:53:18 dnsmasq[13568]: config 2.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:53:18 dnsmasq[13568]: query[AAAA] 2.debian.pool.ntp.org from 127.0.0.1Mar  4 17:53:18 dnsmasq[13568]: config 2.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:53:45 dnsmasq[13568]: query[A] 3.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:53:45 dnsmasq[13568]: config 3.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:53:45 dnsmasq[13568]: query[AAAA] 3.debian.pool.ntp.org from 127.0.0.1Mar  4 17:53:45 dnsmasq[13568]: config 3.debian.pool.ntp.org is NODATA-IPv6
Mar  4 17:54:11 dnsmasq[13568]: query[A] 1.debian.pool.ntp.org from 127.0.0.1
Mar  4 17:54:11 dnsmasq[13568]: config 1.debian.pool.ntp.org is 192.168.0.45
Mar  4 17:54:11 dnsmasq[13568]: query[AAAA] 1.debian.pool.ntp.org from 127.0.0.1Mar  4 17:54:11 dnsmasq[13568]: config 1.debian.pool.ntp.org is NODATA-IPv6

jfb · March 4, 2020, 7:11pm

To be clear, this is not the Pi-hole software making these requests. It is some other process on the host platform that is making the ntp queries.

This may indicate that the time on the host device is so far off that it cannot be reset using the ntp servers. Check the date/time with the date command and verify that they are correct for your location and time.

Valiceemo · March 4, 2020, 7:14pm

Hmm, interesting.
Using date I see the time is actually wrong on the pihole

jfb · March 4, 2020, 7:15pm

Set the date/time correctly and the ntp queries will be greatly reduced. Either of these will do it - just put in the correct date and time values:

sudo date --set="21 December 2018 11:53:30"
timedatectl set-time '2015-11-20 16:14:50'

Valiceemo · March 4, 2020, 7:17pm

Thanks, was going to verify how to do so
I'm in the UK. Could it have anything to do with daylight savings?

jfb · March 4, 2020, 7:19pm

I don't know how Linux handles daylight savings in various countries. Make sure your timezone is correct, and DST should be automatic.

Valiceemo · March 4, 2020, 7:21pm

Timezone is correct according to raspi-config but confirms the incorrect time

Current default time zone: 'Europe/London'
Local time is now:      Wed Mar  4 18:48:13 GMT 2020.
Universal Time is now:  Wed Mar  4 18:48:13 UTC 2020.

Actual time was 19:18

PromoFaux · March 4, 2020, 7:44pm

Then it will not be daylight savings, as one would expect it to be an hour out.

Daylight savings is the difference between GMT and UTC in that output. As we are not currently in daylight savings in the UK, GMT and UTC are equal.

Valiceemo · March 4, 2020, 7:45pm

Doing a bit of digging and I think this might be an error with ntpd on the Pi...

pi@pi-hole:~ $ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.002
 1.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.002
 2.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.002
 3.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.002

This implies that the time servers can't be reached?

Valiceemo · March 4, 2020, 7:48pm

Yes, agreed
It's 15 minutes out. Behind

jfb · March 4, 2020, 7:48pm

Try pinging them directly.

Valiceemo · March 4, 2020, 7:53pm

I can ping 0.debian.pool.ntp.org etc
But not what's listed from ntpq -p

Valiceemo · March 4, 2020, 7:59pm

Just remembered I setup something a while ago to have NTP queries forwarded to the pihole...could it be related?

pi@pi-hole:~ $ cat /etc/dnsmasq.d/05-pihole-timeserver-redirect.conf
address=/time-nw.nist.gov/192.168.0.45
address=/nz.pool.ntp.org/192.168.0.45
address=/time.nist.gov/192.168.0.45
address=/time-a.nist.gov/192.168.0.45
address=/time-b.nist.gov/192.168.0.45
address=/nl.pool.ntp.org/192.168.0.45
address=/0.nl.pool.ntp.org/192.168.0.45
address=/pool.ntp.org/192.168.0.45

DanSchaper · March 4, 2020, 8:09pm

Do you have an NTP server on the Pi-hole? Something Stratum 1 or 2 or somehow able to get the correct time without needing DNS?

Valiceemo · March 4, 2020, 8:11pm

It's just a stock install of raspbian buster which includes one?
Unless I've been particularly dumb here.
I have a /etc/ntp.conf file

DanSchaper · March 4, 2020, 8:13pm

Yeah, you told everyone to use Pi-hole as the NTP server without actually having an NTP server where you told everyone to go.

Valiceemo · March 4, 2020, 8:14pm

So yeah. Incredibly dumb
I was under the impression that raspbian shipped with the server?

DanSchaper · March 4, 2020, 8:16pm

Server? No, Raspberry Pi do not have Real Time Clocks so an NTP server would be very bad. You could add a GPS receiver with PPS capability to build a Stratum1/2 NTP server on the Raspberry Pi though. But that's for another forum.

Valiceemo · March 4, 2020, 8:18pm

Boy do I look stupid....and deservedly
So I guess if I remove /etc/dnsmasq.d/05-pihole-timeserver-redirect.conf and then restart with sudo service pihole-FTL restart I'll be good?

HappyBob · March 4, 2020, 8:19pm

jpgpi created a manual on how to set it up. Manual.