ntp server - ntp client - debian based linux

A quick recipe on how to install and configure ntp servers and ntp clients on debian based Linux Systems.

Install the NTP daemon and utility programs

# apt-get install ntp 

Optionally you may install ntp-doc and ntpdate ( an ntp client )

Add some NTP servers at /etc/ntp.conf

#grep server /etc/ntp.conf 
server 0.pool.ntp.org
server ntp.ubuntu.com
server 1.debian.pool.ntp.org

You could also add the server's clock as last resort

server 127.127.1.0
fudge 127.127.1.0 stratum 10

A List of public Internet NTP Server Pools:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org
europe.pool.ntp.org
uk.pool.ntp.org


To allow time updates from a certain network eg: 10.0.0.0/8 you could add restrict statements

restrict 10.0.0.0 mask 255.0.0.0 nomodify

Check if you are able to synchronize with public ntp servers

#ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+tuxli.ch        213.239.239.165  3 u  105  128  377   76.294    2.642   0.263
+europium.canoni 193.79.237.14    2 u  103  128  377   82.345    1.168   0.378

Another way to Configure you NTP server to provide Time to your Local Network.

grep broadcast /etc/ntp.conf 
broadcast 192.168.99.255

192.168.99.0/24 is an example local network.

Allow UDP traffic on port 123 to the networks you provide time.

# iptables -A INPUT -p udp --dport 123 -s 192.168.99.0/24 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p udp --dport 123 -s 192.168.99.0/24 -j ACCEPT
# iptables -A INPUT -p udp --dport 123 -s 10.0.0.0/8 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p udp --dport 123 -s 10.0.0.0/8 -j ACCEPT

Test your ntp server from another host on the network in which you provide time.

$ apt-get install ntpdate
$ ntpdate 192.168.99.1
31 Dec 17:10:03 ntpdate[25638]: adjust time server 192.168.99.1 offset -0.028884 sec

Just query the NTP server

$ ntpdate -q 10.21.241.4
server 10.21.241.4, stratum 2, offset 21.797882, delay 0.02577
11 Mar 15:55:20 ntpdate[2715]: step time server 10.21.241.4 offset 21.797882 sec

or try ntpdate -u to use unprivileged ports

$ ntpdate -u 10.21.241.4
$ 26 Feb 01:48:20 ntpdate[29121]: adjust time server 10.21.241.4 offset -0.001598 sec

To figure out which ntp servers are OK to use you could use ntpdate -d (debug) and ntptrace eg.

$ ntptrace 10.21.241.4
ipduh.ipduh.awmn: stratum 2, offset 0.013533, synch distance 0.030645
nero.grnet.gr: stratum 1, offset 0.000000, synch distance 0.000000, refid 'GPS'

and

$ ntpdate -d 10.21.241.4
 4 Mar 01:37:27 ntpdate[4575]: ntpdate 4.2.4p8@1.1612-o Tue Apr 19 07:08:19 UTC 2011 (1)
Looking for host 10.21.241.4 and service ntp
host found : ipduh.ipduh.awmn
transmit(10.21.241.4)
receive(10.21.241.4)
transmit(10.21.241.4)
receive(10.21.241.4)
transmit(10.21.241.4)
receive(10.21.241.4)
transmit(10.21.241.4)
receive(10.21.241.4)
transmit(10.21.241.4)
server 10.21.241.4, port 123
stratum 2, precision -20, leap 00, trust 000
refid [10.21.241.4], delay 0.02570, dispersion 0.00000
transmitted 4, in filter 4
reference time:    d4de5a93.1a8c84bf  Mon, Mar  4 2013  1:26:11.103
originate timestamp: d4de5d37.65a0ddb3  Mon, Mar  4 2013  1:37:27.396
transmit timestamp:  d4de5d37.59ed9dfd  Mon, Mar  4 2013  1:37:27.351
filter delay:  0.02576  0.02571  0.02570  0.02571 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.045579 0.045590 0.045589 0.045580
         0.000000 0.000000 0.000000 0.000000
delay 0.02570, dispersion 0.00000
offset 0.045589

 4 Mar 01:37:27 ntpdate[4575]: adjust time server 10.21.241.4 offset 0.045589 sec

Now you could install ntp to other hosts on your network and use your NTP server at 10.21.241.4 or the one at 192.168.99.1 as the stratum 2 - `upstream` NTP servers or install ntpdate and run every so often ntpdate to synchronize their clocks.

NTP server - NTP client ... debian linux ubuntu etc

awmn public caching DNS and reverse zone authoriative server on debian

This is a quick and dirty recipe of how to set up a public caching and authoritative for a reverse zone nameserver for the Athens Wireless Metropolitan Network and the other Greek Wireless Communities on a debian based system.

Install bind

# apt-get install bind

Put the following on /etc/bind/named.conf

# cat /etc/bind/named.conf
//#g0 - 2012 

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

Put the following on /etc/bind/named.conf.options
and replace 10.27.224.17 with your IP address.

# cat /etc/bind/named.conf.options 
options {
 directory "/var/cache/bind";

 version "awmn. #g0 2012 alog.ipduh.com";

        listen-on { 127.0.0.1; 10.27.224.17; };

 auth-nxdomain no;    # conform to RFC1035
};

Put something like the following in /etc/bind/named.conf.local
Replace 224.27.10.in-addr.arpa with your reverse DNS zone

# cat named.conf.local 
//g0 2012 http://ipduh.com/contact

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
acl internals {
        127.0.0.0/8;
 10.0.0.0/8;
};

view "internal" {
        match-clients { internals; };
        recursion yes;
        allow-recursion { any; };
        allow-query { any; };
        allow-query-cache { any; };

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

//10.27.224.0/24 reverse zone 
zone "224.27.10.in-addr.arpa" IN {
        type master;
        file "/var/cache/bind/db.224.27.10.in-addr.arpa";
        allow-update { none; };
};

zone "10.in-addr.arpa" IN {
        type forward;
        forwarders {
          //10.0.1.1;
          10.19.143.12;
          //10.19.143.13;
        };
};



//####################################
//# Greek Wireless Communities Zones #
//####################################
//# https://www.awmn.net/wiki/       #
//####################################
//Because awmn will go gwmn pretty soon g stands for Greek or Global ;)
//####################################

zone "awmn" IN {
        type forward;
        forwarders {
          //10.0.1.1;  
          10.19.143.12;
          //10.19.143.13;
        };
};

zone "wn" IN {
        type forward;
        forwarders {
                10.126.3.115;
                10.110.17.115;
                10.19.143.12;
                10.17.122.134;
                10.86.87.129;
                10.2.16.130;
                10.110.17.67;
        };
};

zone "swn" IN {
        type forward;
        forwarders {
                10.101.0.254;
                10.106.3.1;
                10.174.254.101;
                10.174.1.253;
        };
};


zone "twmn" IN {
        type forward;
        forwarders {
                10.104.76.65;
                10.122.20.70;
                10.122.3.68;
                10.122.14.72;
                10.104.1.74;
        };
};

zone "wthess" IN {
        type forward;
        forwarders {
                10.96.0.1;
                10.96.22.2;
                10.96.9.3;
        };
};

zone "ewn" IN {
        type forward;
        forwarders {
                10.145.7.150;
                10.146.210.130;
        };
};

zone "mswn" IN {
        type forward;
        forwarders {
                10.148.50.2;
        };
};

zone "cywn" IN {
        type forward;
        forwarders {
                10.215.0.125;
                10.215.2.126;
        };
};

zone "dwn" IN {
        type forward;
        forwarders {
                10.174.1.253;
                10.174.254.101;
                10.174.17.250;
        };
};

zone "wiran" IN {
        type forward;
        forwarders {
                10.230.3.133;
        };
};

zone "wana" IN {
        type forward;
        forwarders {
                10.224.3.35;
        };
};

zone "awn" IN {
        type forward;
        forwarders {
                10.198.0.130;
        };
};

zone "pwmn" IN {
        type forward;
        forwarders {
                10.140.14.67;
        };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

};

Then put the zone info for 224.27.10.in-addr.arpa ( our example reverse zone ) at /var/cache/bind/db.224.27.10.in-addr.arpa or another appropriately named file

# cat /var/cache/bind/db.224.27.10.in-addr.arpa
$ORIGIN 224.27.10.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.geioa.ns.awmn. systems-awmn.bot.ipduh.com. (
                    2012122501 ; serial
                    21600      ; refresh after 6 hours
                    3600       ; retry after 1 hour
                    604800     ; expire after 1 week
                    86400 )    ; minimum TTL of 1 day

          IN  NS ns1.geioa.ns.awmn.

1          IN  PTR router.geioa.ns.awmn.
17         IN  PTR serverakos.geioa.ns.awmn.

Then restart bind

# /etc/init.d/bind9 restart

AWMN public hybrid caching DNS and PTR server

Winbox on Wine on Linux

Winbox is a useful tool --even for command line sluts--
made by Mikrotik to manage RouterOS systems .
Wine is an easy way to get winbox working on linux systems.

Making it work on Debian Based Systems; Debian , Ubuntu , Xbuntu etc should be a breeze.

$ sudo apt-get install wine
$ wget http://download2.mikrotik.com/winbox.exe
$ chmod 755 winbox.exe
$ wine winbox.exe

winbox on wine --Linux

A caching DNS server on debian like systems ( Ubuntu 12.04 )

This recipe works on a 12.04 host and it does not on another 12.04 .
Try this instead.

I had to help a friend to setup a DNS caching server for his network. His network is a little bit special since he is connected constantly to three distinct networks: the Internet , the AWMN - A wireless community , and his `local` network.

The DNS server will serve the local network and provide a `public` DNS server to the wireless community.

I am setting the DNS caching server on an Ubuntu 12.04 server but the instructions following should work just fine on any Debian based system.

First of all we need to install bind

root@ubuntu-01:~# apt-get install bind9

Setting up bind

I like to reduce the number of files used to a minimum in any configuration so I set /etc/named.conf to the one following.

root@ubuntu-01:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
//#g0 - 2012 there is an entry describing this configuration at alog.ipduh.com
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

Next let 's set the basics at /etc/named.conf.options. 10.27.224.17 is an IP address accessible by the whole Wireless Communtity AWMN and the local network. The gateway used by the server has Internet Access.

root@ubuntu-01:/etc/bind# cat named.conf.options 
options {
 directory "/var/cache/bind";

 version "some other version search alog.ipduh.com & awmn wiki";

        listen-on { 127.0.0.1; 10.27.224.17; };

 

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

  //forwarders {
  // 0.0.0.0;
  //};

 //========================================================================
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys.  See https://www.isc.org/bind-keys
 //========================================================================
 //dnssec-validation auto;

 auth-nxdomain no;    # conform to RFC1035
 //listen-on-v6 { any; };
};

I disabled dnssec-validation and I will push the "." hint to the bottom so the DNS resolver-cache can deal with the wireless communities TLDs any way it wants.

Here goes the heart of it all --the /etc/named.conf.local

root@ubuntu-01:/etc/bind# cat named.conf.local 
// #g0 2012 -- http://ipduh.com/contact -- there is a post on alog.ipduh.com
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

//No need we will make the caching DNS server available to everyone
//acl internals {
//      127.0.0.0/8;
//    192.168.0.0/16;
//  10.0.0.0/8;
//};

//view "internal" {
//       match-clients { internals; };
//      recursion yes;

//Moved to the bottom
// prime the server with knowledge of the root servers
//zone "." {
//       type hint;
//      file "/etc/bind/db.root";
//};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


//####################################
//# Greek Wireless Communities Zones #
//####################################
//# https://www.awmn.net/wiki/       #
//####################################
//Because awmn will go gwmn pretty soon g stands for Greek or Global ;)
//####################################

zone "10.in-addr.arpa" IN {
        type forward;
        forwarders {
       10.19.143.12;
       10.19.143.13;
        };
};


zone "awmn" IN {
        type forward;
        forwarders {
              // 10.0.1.1;  
         10.19.143.12;
              // 10.19.143.13;
        };
};

zone "wn" IN {
        type forward;
        forwarders {
                10.126.3.115;
                10.110.17.115;
                10.19.143.12;
                10.17.122.134;
                10.86.87.129;
                10.2.16.130;
                10.110.17.67;
        };
};

zone "swn" IN {
        type forward;
        forwarders {
                10.101.0.254;
                10.106.3.1;
                10.174.254.101;
                10.174.1.253;
        };
};


zone "twmn" IN {
        type forward;
        forwarders {
                10.104.76.65;
                10.122.20.70;
                10.122.3.68;
                10.122.14.72;
                10.104.1.74;
        };
};

zone "wthess" IN {
        type forward;
        forwarders {
                10.96.0.1;
                10.96.22.2;
                10.96.9.3;
        };
};

zone "ewn" IN {
        type forward;
        forwarders {
                10.145.7.150;
                10.146.210.130;
        };
};

zone "mswn" IN {
        type forward;
        forwarders {
                10.148.50.2;
        };
};

zone "cywn" IN {
        type forward;
        forwarders {
                10.215.0.125;
                10.215.2.126;
        };
};

zone "dwn" IN {
        type forward;
        forwarders {
                10.174.1.253;
                10.174.254.101;
                10.174.17.250;
        };
};

zone "wiran" IN {
        type forward;
        forwarders {
                10.230.3.133;
        };
};

zone "wana" IN {
        type forward;
        forwarders {
                10.224.3.35;
        };
};

zone "awn" IN {
        type forward;
        forwarders {
                10.198.0.130;
        };
};

zone "pwmn" IN {
        type forward;
        forwarders {
                10.140.14.67;
        };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

//};

Going around the resolv.conf madness on ubuntu 12.04 server.

Adding 127.0.0.1 on /etc/resolv.conf to be on the safe side

root@ubuntu-01:/etc/resolvconf/resolv.conf.d# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

Set base, original , and tail in the /etc/resolvconf/resolv.conf.d directory

root@ubuntu-01:/etc/resolvconf/resolv.conf.d# cat base
nameserver 10.27.224.17
nameserver 127.0.0.1
root@ubuntu-01:/etc/resolvconf/resolv.conf.d# cp base tail
root@ubuntu-01:/etc/resolvconf/resolv.conf.d# cp tail original

Restart Bind9 and Test Configuration

root@ubuntu-01:/etc/resolvconf/resolv.conf.d# /etc/init.d/bind9 restart
 * Stopping domain name service... bind9                                                                                                                                                                    waiting for pid 5881 to die
                                                                                                                                                                                                     [ OK ]
 * Starting domain name service... bind9  

                                                                                
root@ubuntu-01:/etc/resolvconf/resolv.conf.d# dig forum.awmn +short
10.19.143.13    
root@ubuntu-01:/etc/resolvconf/resolv.conf.d# dig ipduh.com +short
85.25.242.245                                                                                                                         

OK, it works.

caching DSN for the AWMN --outdated