Can I redirect local ntp requests to my local router (fritzbox) which provides time data ?
My assumption was to enter the domains in " Local DNS Records" with the local router IP. The test failed with
Temporary failure in name resolution
Please provide more detail. What entries were entered into Local DNS records? If you do an nslookup or dig to Pi-hole for one of those domains, what is the reply?
For example:
Domain "time.windows.com"
IP: "192.168.178.1"
It doesn't seem to be working as required, a lookup was performed 2x in a row:
nslookup time.windows.com
Server: 127.0.0.53
Address: 127.0.0.53#53Non-authoritative answer:
Name: time.windows.com
Address: 192.168.178.1
time.windows.com canonical name = twc.trafficmanager.net.nslookup time.windows.com
Server: 127.0.0.53
Address: 127.0.0.53#53Non-authoritative answer:
time.windows.com canonical name = twc.trafficmanager.net.
Name: twc.trafficmanager.net
Address: 40.119.148.38
@jfb
I tried a ping to the domain, but now it just redirects to "40.119.148.38", similar to nslookup.
The ping and nslookup was run on a ubuntu client using the pihole dns.
No, not with Pi-hole.
As a filtering DNS resolver, Pi-hole never sees NTP requests - it only ever sees DNS.
Yet if clients were to access time servers by their domain name, then the corresponding DNS request could be answered with a local private IP, shadowing the actual public IP.
I guess that is what are you are trying to accomplish, and you are on the right track. Creating respective local DNS records within Pi-hole is a correct approach.
However, your clients need to send their DNS requests to your Pi-hole to actually put those local DNS records in effect.
And the client executing your nslookups is not using Pi-hole for DNS, but a local stub resolver at 127.0.0.53:
You should consider configuring that stub resolver to use Pi-hole as its sole upstream.
Currently, it seems to use at least one alternate DNS server in addition to Pi-hole, which is likely why you get mixed results from repeated nslookups, depending on which upstream was used by the stub for a specific request.
1 Like
Instead of hijacking with local DNS records, you could also consider advertising your own NTP server(s) to your clients via below DHCP server option:
pi@ph5b:~ $ pihole-FTL -- --help dhcp
Known DHCP options:
[..]
42 ntp-server
Some routers allow you to advertise your own DHCP options so check the manual if supported.
Windows and others should adhere to this NTP server advertised.
If Pi-hole is doing DHCP for your network, its as easy as:
pi@ph5b:~ $ sudo nano /etc/dnsmasq.d/99-my-settings.conf
dhcp-option=option:ntp-server,10.0.0.3
pi@ph5b:~ $ pihole-FTL --test
dnsmasq: syntax check OK.
pi@ph5b:~ $ sudo service pihole-FTL reload
pi@ph5b:~ $
And check:
pi@ph5b:~ $ pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
[..]
ntp-server: 10.0.0.3
1 Like
That is one of the default NTP servers that Windows is using.
I'm not sure if all Windows OS versions would honor the DHCP supplied NTP server. I guess they could also be sticking with that if you ever clicked OK in Window's internet time settings panel.
It would be easy enough to change that to an arbitrary NTP server via Windows' internet time settings on each respective Windows machine.
Shadowing time.windows.com would have the advantage of handling all such machines in one go.
Another option would be to have your router (or a dedicated firewall machine) indeed redirect NTP requests to a given NTP server. That would probably be the safest option, also covering NTP server access by IP, but that'd depend on the availabilty of such controls in U5xdy's network. It also would be out of Pi-hole's scope.
@U5xdy, whatever approach you would follow to address your time server issue:
You'd have to handle your stub resolver separately, to avoid that client by-passing your Pi-hole.
It would be good if all devices in the network would use the existing local NTP server from the router. The fritzbox has an option to offer the time in the settings.
With the Pihole I was able to read out the ntp entry via dhcp-discover:
sudo pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
Timeout: 10 seconds
* Received 548 bytes from eth0:192.168.178.1
...
DHCP options:
...
router: 192.168.178.1
...
ntp-server: 192.168.178.1
...
That looks correct, some devices then probably ignore the ntp entry?
There are no ntp-server options displayed with pihole-FTL -- --help dhcp.
I picked time.windows.com by random.
It is primarily about an IP camera from Tapo, from the DNS requests the following servers are tried to be contacted:
time.nist.gov
time-a.nist.gov
time-b.nist.gov
time.windows.com
time-nw.nist.gov
au.pool.ntp.org
nz.pool.ntp.org
The camera seems to ignore the local ntp, after changing the local dns record time.windows.com, the time has now been updated. It took a while to update, but the DNS record hijacking seems to be working for this device.
That is strange, I noticed the results are somehow mixed. But resolvectl --no-pager on my ubuntu is only responding with my local pihole ip.
I use an aditional dnsmasq file /etc/dnsmasq.d/13-NTPtime.conf, redirecting everything to my pfsense box, content:
cname=0.android.pool.ntp.org,pfsense.localdomain
cname=0.debian.pool.ntp.org,pfsense.localdomain
cname=0.europe.pool.ntp.org,pfsense.localdomain
cname=0.irobot.pool.ntp.org,pfsense.localdomain
cname=1.android.pool.ntp.org,pfsense.localdomain
cname=1.debian.pool.ntp.org,pfsense.localdomain
cname=1.europe.pool.ntp.org,pfsense.localdomain
cname=1.irobot.pool.ntp.org,pfsense.localdomain
cname=1.pool.ntp.org,pfsense.localdomain
cname=2.android.pool.ntp.org,pfsense.localdomain
cname=2.debian.pool.ntp.org,pfsense.localdomain
cname=2.europe.pool.ntp.org,pfsense.localdomain
cname=2.irobot.pool.ntp.org,pfsense.localdomain
cname=3.android.pool.ntp.org,pfsense.localdomain
cname=3.debian.pool.ntp.org,pfsense.localdomain
cname=3.europe.pool.ntp.org,pfsense.localdomain
cname=3.irobot.pool.ntp.org,pfsense.localdomain
cname=ntp.airable.io,pfsense.localdomain
cname=ntp.msn.com,pfsense.localdomain
cname=time-a.nist.gov,pfsense.localdomain
cname=time-b.nist.gov,pfsense.localdomain
cname=time-nw.nist.gov,pfsense.localdomain
cname=time.akamai.com,pfsense.localdomain
cname=time.android.com,pfsense.localdomain
cname=time.nist.gov,pfsense.localdomain
cname=time.windows.com,pfsense.localdomain
result (pihole Query Log):
and (piholelog)
Apr 2 07:31:07 dnsmasq[731]: 15350 192.168.2.25/53553 query[A] 2.android.pool.ntp.org from 192.168.2.25
Apr 2 07:31:07 dnsmasq[731]: 15350 192.168.2.25/53553 config 2.android.pool.ntp.org is <CNAME>
Apr 2 07:31:07 dnsmasq[731]: 15350 192.168.2.25/53553 /etc/localdns.list pfsense.localdomain is 192.168.2.251
1 Like
That looks promising, even if I would rather have the settings in the pihole interface, which are then also exported with the teleporter.
The problem with the entry under DNS records is that the query log shows time.windows.com as the client instead of fritz.box, which is very inappropriate.
Does the file only have to be created with my router entry fritz.box, without restarting a service?
The local IP would also be possible here?
cname=1.europe.pool.ntp.org,fritz.box
...
I noticed cname in the config file, can I add these records in the pihole interface at CNAME Records, these do not interfere with the dns name of the router?
if you want fancy stuf, read the dnsmasq man, implement it, and remember (backup) the changes you made (files you created)
change pfsense.localdomain into fritz.box in the list I posted earlier.
sudo service pihole-FTL restart is required.
CNAME entries require a DNS name.
add another configuration line (replace the IP address)
address=/fritz.box/192.168.2.57
1 Like
Thanks, will test it!
Sorry, my question was about whether it's already implemented since CNAME Records in the interface presumably does the same thing?
no idea / don't use that feature.
looks like /var/www/html/admin/scripts/pi-hole/php/teleporter.php does backup all files in /etc/dnsmasq.d, source code:
archive_add_directory('/etc/dnsmasq.d/', 'dnsmasq.d/');
Not sure, needs to be confirmed by development team (or simply use teleporter and check if the additional file is in there - you need the address= entry anyway, can't be done with pi-hole interface, as far as I know), again, not using that feature.
1 Like
if you've setup everything, download (windows) a portable ntpcheck here, click on download (near bottom of page), run the download (portable - no installation) and test your config (enter fritz.box as NTP server), result looks like this:
than, repeat the test with one of the entries from the above list, this should return similar results.
query log should show:
e.g. server entry, you tested,
OK (cache) and CNAME
Your right, it wasnt on a Windows game rig of mine.
Had to manually set the NTP IP in Windows time settings:
C:\>W32tm /query /configuration
[..]
NtpServer: 10.0.0.3,0x9 (Local)
And dhcpcd applied by Pi-OS needed below option to be uncommented to work:
pi@ph5b:~ $ sudo nano /etc/dhcpcd.conf
[..]
# Most distributions have NTP support.
option ntp_servers
With my Debian laptop that runs NetworkManager it seems I to have to create my own script which sounds a bit over the top:
The only one that I guess is honoring the NTP servers advertised OOTB is I believe my Android devices that have a setting:
"Use the date and time provided by your network".
Which is enabled by default:
https://source.android.com/docs/core/connect/time#automatic-time
What a big disappointment and sorry for the bad advice 
For Linux systems you have ntpdate which is deprecated but I prefer output and ease over the sntp tool:
pi@ph5b:~ $ apt show ntpdate
[..]
Description: client for setting system time from NTP servers (deprecated)
NTP, the Network Time Protocol, is used to keep computer clocks
accurate by synchronizing them over the Internet or a local network,
or by following an accurate hardware receiver that interprets GPS,
DCF-77, NIST or similar time signals.
.
ntpdate is deprecated. Please use sntp instead for manual or scripted
NTP queries/syncs.
Can do a query(-q) only with below:
pi@ph5b:~ $ ntpdate -q 0.debian.pool.ntp.org
server 108.61.164.200, stratum 2, offset -0.003647, delay 0.04095
server 188.226.239.160, stratum 2, offset -0.001897, delay 0.05153
server 162.159.200.123, stratum 3, offset -0.004360, delay 0.03931
server 185.51.192.34, stratum 2, offset -0.001586, delay 0.03712
2 Apr 12:43:49 ntpdate[1006]: adjust time server 185.51.192.34 offset -0.001586 sec
1 Like
I added some more
cname=ntp.ubuntu.com,fritz.box
cname=tablet.ntp-fireos.com,fritz.box
cname=ftv-smp.ntp-fireos.com,fritz.box
Seem to work as required:
ntpdate -q ftv-smp.ntp-fireos.com
server 192.168.178.1, stratum 3, offset +0.005044, delay 0.02809
2 Apr 13:50:54 ntpdate[12677]: adjust time server 192.168.178.1 offset +0.005044 sec
ntpdate -q 3.europe.pool.ntp.org
server 192.168.178.1, stratum 3, offset +0.005529, delay 0.02753
2 Apr 13:51:06 ntpdate[12682]: adjust time server 192.168.178.1 offset +0.005529 sec
nslookup 3.europe.pool.ntp.org
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
3.europe.pool.ntp.org canonical name = fritz.box.
Name: fritz.box
Address: 192.168.178.1
nslookup time.windows.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
time.windows.com canonical name = fritz.box.
Name: fritz.box
Address: 192.168.178.1
Yes, the 13-NTPtime.conf file is inside the teleporter archive.
I discovered that on raspbian, it can not be resolved:
ntpdate 1.debian.pool.ntp.org
Error resolving 1.debian.pool.ntp.org: Name or service not known (-2)
2 Apr 14:38:35 ntpdate[32230]: Can't find host 1.debian.pool.ntp.org: Name or service not known (-2)
2 Apr 14:38:35 ntpdate[32230]: no servers can be used, exiting
nslookup on raspbian returns only:
Server: 192.168.178.15
Address: 192.168.178.15#53
1.debian.pool.ntp.org canonical name = fritz.box.
on the other hand under ubuntu:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
1.debian.pool.ntp.org canonical name = fritz.box.
Name: fritz.box
Address: 192.168.178.1
The requests from the raspbian os are in the pihole log, same response as here with cname:
What can be the reason?
(temporarily set to unresolved, the problem occurs on both devices with raspbian)
Dnsmasq configuration files in /etc/dnsmasq.d are exported by the teleporter.
... but not restored via teleporter (except static leases and local CNAMEs).
ok, the most important thing is that it is in the backup.
I tested on android with a ntp time app the time server.
Like on raspbian 1.debian.pool.ntp.org is not working, but the direct call fritz.box is working.
The cname record has only worked reliably on ubuntu. I don't understand why and how to solve this.
The only difference seems to be, nslookup shows under ubuntu Server: 127.0.0.53 and raspbian the direct pihole ip address .
Does anyone have an idea to investigate the problem further?