ntpd keeps adding local servers while being told not to

Question

I'm configuring ntp inside a corporate network.

I've done

restrict default ignore
restrict -6 default ignore

and listed servers explicitly (I'm using public servers from pool.ntp.org). I also didn't enable broadcastclient.

After a while, ntpq -p keeps showing only a particular server inside the local network that I did not add in the configuration file.

Shouldn't restrict default ignore make ntpd ignore all packets from servers not explicitly mentioned?

I've checked the servers I'm using with dig, and the addresses seem correct.

Here's ntpq -pn:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.200.10.253   .INIT.          16 u    -   64    0    0.000    0.000   0.000

And my current ntp.conf (comments removed)

driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 2.europe.pool.ntp.org

restrict default ignore
restrict -6 default ignore
restrict 2.europe.pool.ntp.org nomodify
restrict 127.0.0.1
restrict ::1

Can you cut-and-paste into your **question** the output of `ntpq -pn`? It'd be helpful to see your `/ntp.conf` in its entirety, too. — MadHatter, Jan 02 '15 at 17:21
Are there any ntp related entries in /etc/hosts? If you ping instead of dig, do you get the same results for your server entry? Is it always that same 10.x address? — Aaron, Jan 02 '15 at 17:39
@Aaron A couple of entries there, but nothing NTP related, and not this host in particular - which, yes, it's always the same. — loopbackbee, Jan 02 '15 at 17:42
Do you have other servers on the same vlan that are able to reach 2.europe.pool.ntp.org? My next step would be to stop ntpd, start tcpdump and capture all traffic just in case something is doing proxy arp or some other form of redirection, then start ntpd. — Aaron, Jan 02 '15 at 17:46
@Aaron I just verified I *am*, in fact, able to reach `2.europe.pool.ntp.org` using `ntpdate`. I've just found the problem, I was misunderstanding the way ntp worked on this particular system. will post an answer briefly — loopbackbee, Jan 02 '15 at 17:53

loopbackbee · Answer 1 · 2015-01-05T10:58:56.173

After some debugging and Aaron's help, I've found the problem.

The ISC DHCP client fetches ntp servers information by default in Debian.

Debian's ntpd init script makes it use that info, by extending /etc/ntp.conf with it. The resulting file is made available at /var/lib/ntp/ntp.conf.dhcp.

The solution is, of course, properly configuring DHCP not to receive ntp servers (just remove the ntp-servers option in /etc/dhcp/dhclient.conf).

More information available in NTP's support page, section 6.12:

ISC's dhcp is able to automatically configure the servers used by ntpd. 
Here's how to get it working:

    The dhcp server you are using must be configured to provide 
    the ntp-servers option

    Configure your dhclient to request ntp-servers (it doesn't by default). 
    To do this add ntp-servers to the default request line in 
    /etc/dhcp3/dhclient.conf

    Create an /etc/ntp.conf with all of the other settings that you wish to use. 
    This file will be used to create /etc/ntp.conf.dhcp, it won't be over written.

    Your ntpd must be told to use /etc/ntp.conf.dhcp if it exists. 
    This is usually accomplished in the ntp init script (e.g. /etc/init.d/ntp).

ntpd keeps adding local servers while being told not to

1 Answers1