Redirect ntp request to local router

General
22 
dig 1.debian.pool.ntp.org

; <<>> DiG 9.16.37-Raspbian <<>> 1.debian.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29914
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.debian.pool.ntp.org.         IN      A

;; ANSWER SECTION:
1.debian.pool.ntp.org.  0       IN      CNAME   pfsense.localdomain.
pfsense.localdomain.    0       IN      A       192.168.2.251

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 02 20:34:10 CEST 2023
;; MSG SIZE  rcvd: 99

edit

nslookup 1.debian.pool.ntp.org
Server:         127.0.0.1
Address:        127.0.0.1#53

1.debian.pool.ntp.org   canonical name = pfsense.localdomain.
Name:   pfsense.localdomain
Address: 192.168.2.251

did you add the address= configuration

address=/fritz.box/192.168.178.1

typo in the configuration file?
/edit

image
image1060×1473 184 KB

image
image2180×147 14.3 KB

23

ubuntu:

dig 1.debian.pool.ntp.org

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> 1.debian.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65170
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;1.debian.pool.ntp.org.		IN	A

;; ANSWER SECTION:
1.debian.pool.ntp.org.	0	IN	CNAME	fritz.box.
fritz.box.		9	IN	A	192.168.178.1

;; AUTHORITY SECTION:
fritz.box.		9	IN	NS	fritz.box.

;; Query time: 11 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Apr 02 21:23:54 CEST 2023
;; MSG SIZE  rcvd: 103

raspbian:

dig 1.debian.pool.ntp.org

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> 1.debian.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4444
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.debian.pool.ntp.org.		IN	A

;; ANSWER SECTION:
1.debian.pool.ntp.org.	0	IN	CNAME	fritz.box.

;; Query time: 2 msec
;; SERVER: 192.168.178.15#53(192.168.178.15)
;; WHEN: Sun Apr 02 21:24:40 CEST 2023
;; MSG SIZE  rcvd: 73

pihole log entry:

2023-04-02 21:24:40 	A	1.debian.pool.ntp.org	raspbian.fritz.box	OK (cache)	CNAME (0.1ms)

No, it is currently without IP, the exact content of the configuration:

cname=0.android.pool.ntp.org,fritz.box
cname=0.debian.pool.ntp.org,fritz.box
cname=0.europe.pool.ntp.org,fritz.box
cname=0.irobot.pool.ntp.org,fritz.box
cname=1.android.pool.ntp.org,fritz.box
cname=1.debian.pool.ntp.org,fritz.box
cname=1.europe.pool.ntp.org,fritz.box
cname=1.irobot.pool.ntp.org,fritz.box
cname=1.pool.ntp.org,fritz.box
cname=2.android.pool.ntp.org,fritz.box
cname=2.debian.pool.ntp.org,fritz.box
cname=2.europe.pool.ntp.org,fritz.box
cname=2.irobot.pool.ntp.org,fritz.box
cname=3.android.pool.ntp.org,fritz.box
cname=3.debian.pool.ntp.org,fritz.box
cname=3.europe.pool.ntp.org,fritz.box
cname=3.irobot.pool.ntp.org,fritz.box
cname=ntp.airable.io,fritz.box
cname=ntp.msn.com,fritz.box
cname=time-a.nist.gov,fritz.box
cname=time-b.nist.gov,fritz.box
cname=time-nw.nist.gov,fritz.box
cname=time.akamai.com,fritz.box
cname=time.android.com,fritz.box
cname=time.nist.gov,fritz.box
cname=time.windows.com,fritz.box
cname=ntp.ubuntu.com,fritz.box
cname=tablet.ntp-fireos.com,fritz.box
cname=ftv-smp.ntp-fireos.com,fritz.box
24

Feels like that Raspbian host is able to resolve the 1.debian.pool.ntp.org alias to that fritz.box CNAME.
But it cant resolve the fritz.box name to an actual IP.
Did you check below on that Raspbian host?

dig fritz.box.

or:

nslookup fritz.box.

Notice the dot "." at the end so the host doesnt add its own search/suffix domain.

25

The result seems fine:

nslookup fritz.box.
Server:		192.168.178.15
Address:	192.168.178.15#53

Name:	fritz.box
Address: 192.168.178.1

dig fritz.box.

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> fritz.box.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10426
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fritz.box.			IN	A

;; ANSWER SECTION:
fritz.box.		4	IN	A	192.168.178.1

;; Query time: 5 msec
;; SERVER: 192.168.178.15#53(192.168.178.15)
;; WHEN: Sun Apr 02 21

:57:10 CEST 2023
;; MSG SIZE  rcvd: 54
26

Can you run below query again and post the resulting Pi-hole log entries pls?

dig 1.debian.pool.ntp.org.

You can tail/follow the logs live in another session with below:

pihole -t

27

I just checked on my Pi's:

pi@ph5a:~ $ sudo nano /etc/dnsmasq.d/99-ntp.conf
cname=1.debian.pool.ntp.org,nas.home.dehakkelaar.nl

pi@ph5a:~ $ pihole-FTL --test
dnsmasq: syntax check OK.

pi@ph5a:~ $ sudo service pihole-FTL reload
pi@ph5a:~ $

Seems to work fine with me from a client:

pi@raspberrypi:~ $ dig +short 1.debian.pool.ntp.org
nas.home.dehakkelaar.nl.
10.0.0.3

pi@raspberrypi:~ $ ntpdate -q 1.debian.pool.ntp.org
server 10.0.0.3, stratum 3, offset +0.001038, delay 0.02698
 2 Apr 22:16:53 ntpdate[1638]: adjust time server 10.0.0.3 offset +0.001038 sec
28

Yes.
Pi-hole is storing its CNAME definitions in /etc/dnsmasq.d/05-pihole-custom-cname.conf.
That is really the same as creating that custom file, while adding the benefit of allowing you to review and alter CNAMEs via Pi-hole's UI as well, plus teleporter backups and restores work as well.

1 Like
29 
pihole-FTL --test
dnsmasq: syntax check OK.

raspbian:

Apr  2 22:28:00: query[A] 1.debian.pool.ntp.org from 192.168.178.17
Apr  2 22:28:00: config 1.debian.pool.ntp.org is <CNAME>

ubuntu:

Apr  2 22:28:43: query[A] 1.debian.pool.ntp.org from 192.168.178.18
Apr  2 22:28:43: config 1.debian.pool.ntp.org is <CNAME>
Apr  2 22:28:43: query[A] fritz.box from 192.168.178.18
Apr  2 22:28:43: forwarded fritz.box to 192.168.178.1
Apr  2 22:28:43: reply fritz.box is 192.168.178.1

On raspbian it is only two log entries, no try to contact the provided target.

It is a raspbian with the version codename buster.

30

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

31

Above was tested on a Bullseye client of mine.
But if I test on Buster, I get same results:

pi@ph5a:~ $ lsb_release -d
Description:    Raspbian GNU/Linux 10 (buster)

pi@ph5a:~ $ dig +short @localhost 1.debian.pool.ntp.org
nas.home.dehakkelaar.nl.
10.0.0.3

I have no idea whats bugging your Pi's ... yet.

32

Try create a "Local DNS record" for that fritz.box name via the webGUI.
It might be below "limitation" (though the others wouldnt work either then):

pi@ph5a:~ $ man dnsmasq
[..]
       --cname=<cname>,[<cname>,]<target>[,<TTL>]
              Return  a  CNAME record which indicates that <cname> is re‐
              ally <target>. There is a  significant  limitation  on  the
              target;  it  must be a DNS record which is known to dnsmasq
              and NOT a DNS record which comes from an  upstream  server.
              The  cname  must  be  unique, but it is permissible to have
              more than one cname pointing to  the  same  target.  Indeed
              it's  possible  to declare multiple cnames to a target in a
              single line, like so: --cname=cname1,cname2,target

              If the time-to-live is given,  it  overrides  the  default,
              which  is  zero or the value of --local-ttl. The value is a
              positive integer and gives the time-to-live in seconds.
2 Likes
33

ok, I created a DNS record in the Web Interface:
fritz.box 192.168.178.1

On the raspberry:

dig +short 1.debian.pool.ntp.org
fritz.box.
192.168.178.1


Apr  2 22:59:40: query[A] 1.debian.pool.ntp.org from 192.168.178.17
Apr  2 22:59:40: config 1.debian.pool.ntp.org is <CNAME>
Apr  2 22:59:40: /etc/pihole/custom.list fritz.box is 192.168.178.1

That would explain it, but not why it works on your side without DNS record on the pihole?

1 Like
34

Pi-hole has to be aware of the CNAME target, which would the case if
a) the DNS record for fritz.box has been cached (e.g. from a previous lookup for fritz.box)
b) Pi-hole has a definition for fritz.box, e.g. a Local DNS record.

Of course, a) would only work until the cached DNS record is removed from cache after its TTL expires.
And that may have contributed towards your observation.

2 Likes
35 
pi@ph5a:~ $ cat /etc/pihole/custom.list
[..]
10.0.0.3 nas.home.dehakkelaar.nl

EDIT: Forgot to mention that :wink:

36

Thanks everyone, the solution is working with the additional fritz.box DNS record. :grinning:

1 Like
37

Can't say yet if it has any further effects, but my second router extends the network.
With the manual fritz.box dns record at pihole, the device is sending a huge amount of dns requests for the domain fritz.box. Every 4 minutes, 12 requests in a row.

Perhaps the 2nd fritzbox expects AUTHORITY or ADDITIONAL section in the response data? There is no other difference.

Original:

dig fritz.box

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;fritz.box.                     IN      A

;; ANSWER SECTION:
fritz.box.              9       IN      A       192.168.178.1

;; AUTHORITY SECTION:
fritz.box.              9       IN      NS      fritz.box.

;; ADDITIONAL SECTION:
fritz.box.              9       IN      A       192.168.178.1

;; Query time: 10 msec
;; SERVER: 192.168.178.15#53(192.168.178.15)
;; WHEN: Mo Apr 03 23:38:10 CEST 2023
;; MSG SIZE  rcvd: 73

Manual DNS record:


dig fritz.box

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fritz.box.                     IN      A

;; ANSWER SECTION:
fritz.box.              0       IN      A       192.168.178.1

;; Query time: 2 msec
;; SERVER: 192.168.178.15#53(192.168.178.15)
;; WHEN: Mo Apr 03 23:37:29 CEST 2023
;; MSG SIZE  rcvd: 54
38

The TTL advertised for caching local DNS records is default OOTB zero seconds:

pi@ph5b:~ $ man dnsmasq
[..]
       -T, --local-ttl=<time>
              When  replying with information from /etc/hosts or configu‐
              ration or the DHCP leases file dnsmasq by default sets  the
              time-to-live  field  to  zero,  meaning  that the requester
              should not itself cache the information. This is  the  cor‐
              rect  thing to do in almost all situations. This option al‐
              lows a time-to-live (in seconds)  to  be  given  for  these
              replies. This will reduce the load on the server at the ex‐
              pense of clients using stale data under some circumstances.

Can up it to 60 seconds at first with below:

pi@ph5b:~ $ sudo nano /etc/dnsmasq.d/99-local-ttl.conf
local-ttl=60

Check for errors:

pihole-FTL --test

And apply:

sudo service pihole-FTL reload

And check (with the fritz.box domain oc):

pi@ph5b:~ $ dig +noall +answer @localhost nas.home.dehakkelaar.nl
nas.home.dehakkelaar.nl.     60      IN      A       10.0.0.3

If that reduces the number of queries, you could try lower it to two seconds and see how that goes.
You want it to be as low as possible so not to risk getting stale replies.

1 Like
39

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.