2

If I am running ntp (via ntp.conf) heavily restricted, I cannot use a pool for a server. Why? Because the call to restrict (to allow access for the pool) seems to be another DNS Lookup, which returns another IP value than what was used to originally call the server. Please show me that I am wrong/being stupid about this.

Crude Example (portion of ntp.conf):

server 0.debian.pool.ntp.org iburst
restrict default ignore
restrict -6 default ignore
restrict 0.debian.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

This does not work (I think) because DNS calls to 0.debian.pool.ntp.org return different IP addresses and thus the wrong IP address is allowed via the (poorly named) restrict.

Jiminion
  • 5,080
  • 1
  • 31
  • 54

1 Answers1

4

Use the builtin source alias/directive/whatever:

restrict source nomodify notrap noquery

Updatedd to include documentation for source:

restrict source configures a template restriction automatically added
at runtime for each association, whether configured, ephemeral, or
preemptible, and removed when the association is demobilized.

From: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict

dfc
  • 792
  • 5
  • 16
  • Unfortunately, I'm not close to the problem at this point. But I think restricting the source opens it up to all sources. – Jiminion Apr 09 '14 at 13:51
  • 2
    I am not sure what "restricting the source opens it up to all sources" means. It sounds like you are saying "restricting the source will open it up to the world." I added the documentation for `source` in the answer. I think it is pretty clear that it only opens things up for "each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized." – dfc Apr 09 '14 at 22:07