EditWYSIWYGAttachPrintable
r2 - 2007-08-06 - 01:30:34 - DannyMayerYou are here: NTP >  Dev Web > DevelopmentIssues > DNSServerFailover
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p13 was released on 07 March 2019. It addresses 1 medium-severity security issue in ntpd, and provides 17 non-security bugfixes and 1 other improvements over 4.2.8p12.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Failing-over DNS Server Addresses

1. Problem Summary

The current implementation of NTP uses DNS to retrieve the IP addresses of the server name in the configuration file. However, it just copies the first IP address and deletes the rest. For servers in the pool (pool.ntp.org) for example the number of addresses returned by DNS can be quite large but only the first is used. This can be a problem if the NTP server at that address is not available, has been removed or gets removed after some period of time. The NTP reference implementation however never comes back to DNS to try to look up the address again nor does it have any longer the list of IP addresses previously received so it continues to retry the one IP Address.

2. Proposed Solution

To fix this problem we will implement the following:
  1. Save all returned IP addresses from the lookup in a structure associated with the server name so that the NTP server can try the next IP address in the returned list if the first one fails.
  2. If there are no more entries in the IP address list, run a new DNS query and get a fresh list.
  3. Allow the configuration to specify how many IP addresses to use simultaneously and avoid to need to specify the same server name multiple times which could potentially result in getting the same IP address list.

3. Design Issues

In order to implement this a number of issues need to be decided. Because of the architecture of NTP it is expect that packets will be lost during the usage of the server. Indeed, UDP is meant for such situations.
  1. For an IP address that has never responded to an NTP Packet, how many times should an NTP packet before it gives up and tries a different server?
  2. For a server that has been responding to NTP packets, after it stops responding, how many retries of NTP packets should be made before it stops trying and moves on to the next IP address in the list?

Since the TTL of the IP addresses returned by DNS is not easily available to the client we will not rely on it to make decisions on whether or not we can use the IP addresses.

4. Implementation

In order to address these issues, there will be a number of configurable variables available to be set in the configuration file. The following is a partial list of parameters that will be available to be set:
  1. InitialFailoverRetryLimit
  2. ServerFailureRetryLimit
  3. MaxAddresses

There will be defaults for these in case the configuration files do not specify them. The default values have yet to be decided.

The code will perform a DNS lookup of the name and save a copy of all the IP addresses returned in an an association list with the name. The first address on the list will be used to try an form an association.

The peer association will need to keep track of both whether or not it's successfully received a packet and whether or not it's stopped receiving packets. It will also need to reset an address-specific not-received count every time it receives a response from the server.

The code will track the number of consecutive times that the server does not respond. When the number of consecutive failures exceeds the limit the association is demobilised and the next unused address is fetched from the previously fetched list of addresses. If there are no more unused addresses in the list then it will perform another DNS lookup to fetch a new address list and start again.

Note that using IP addresses for the server effectively disables the mechanism since only that address can be used. Setting the value to 0 of the above variables will disable the failover mechanism for which the variable is used.

-- DannyMayer - 05 Aug 2007

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r5 < r4 < r3 < r2 < r1 | More topic actions...
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback