Load balancing NTP requests

SimonT
Here to help

Load balancing NTP requests

So I wanted to create a NTP Policy for one of my servers

 

The server users a pool of NTP servers eg

pool.ntp.org
time.windows.com

 
I set the firewall rules up as Allow ,UDP, destination pool.ntp.org and time.windows.com Port 123

I then created a final block rule

Due to the nature of NTP pools not every request is accepted as I am assuming that the server does a DNS look up and returns a round robin IP. The firewall then does a DNS lookup and is returned a IP address. As the ip's are coming from a pool of several hundred they are not always matching.

 

I could just allow UDP 123 out but there are many other services that use round robin dns what's the best way to address this  

7 REPLIES 7
MerakiDave
Meraki Employee
Meraki Employee

Hi @SimonT I think you were referring to the Meraki equipment itself and as you pointed out that is why it still lists UDP/123 outbound to ANY destination IP for NTP.  However that is really for initial connections, and afterwards NTP is actually handled over the control plane connection (which was typically always UDP/7351 and in the latest MR/MS/MX firmware it'll happen over TCP/443).  The “ANY” destination is not actually a hard requirement and you can assign any NTP server you like via DHCP options from an upstream DHCP server, and so long as that NTP server is aligned with global NTP to within a few seconds that can also work fine and without having to make a mess of the firewall rules.  Sorry if I misunderstood. 

I was talking more NTP for the devices rather than the firewall it's self.

 

I have a standard windows environment where the there is a FSMO DC that is in change of domain time. We are using public internet facing NTP server to sync with.

 

The DC server looks up the NTP servers IP address that IP address might not match the IP address the firewall gets due to the pool of ip address that can behind a NTP server that is using a round robin up address.

 

We use umbrella as well and I was wondering if there is a way for the device and the firewall to get the same resolved IP address.

 

Or from your comment can the Meraki be treated as a NTP server ?

 

But this will happen again with any other service that uses round robin DNS.

KarstenI
Kind of a big deal
Kind of a big deal

What about using FQDN-objects for this purpose?

Hi @KarstenI would you be able to point me at a RTFM article for this ? Are FQDN objects only updated by the API ?

KarstenI
Kind of a big deal
Kind of a big deal

Here you go:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide

Policy-Objects are still labelled "Beta" but they are already widely used.

SimonT
Here to help

Thanks I added the NTP servers in as network objects read that its only supported in firewall rules and not group policies so set it up as a firewall rule. Looking at my NTP logs I have it set to try 5 ntp servers and its getting at least 2 to 5 most of the time. Is the FQDN-Object updated differently to how I was doing it ?

KarstenI
Kind of a big deal
Kind of a big deal

What exactly do you mean with "getting at least 2 to 5 most of the time"?

The Meraki implementation is not really documented (or I didn't find the relevant documentation) but it could work the following way:

  1. Client does a DNS request for abc.example.com
  2. The MX needs to see this request, which means DNS should not use DNSCrypt, DoH or something like that. The DNS request also has to flow through the same MX as the following traffic.
  3. The MX snoops the request and the response and adds both to a cache. The IPs are internally added to the corresponding Access-Control rules.
  4. When the real traffic arrives at the MX the filtering can happen based on these added IPs.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels