NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ntpdate(8) and unbound(8) dependencies during boot

On Oct 17,  8:23, Greg Troxel wrote:
} Sad Clouds <> writes:
} > On Sat, 17 Oct 2020 10:33:28 +0200
} > Martin Husemann <> wrote:
} >
} >> For things w/o RTC clock (that are unlikely to travel from airport
} >> wlan to next airport wlan) I usually do not want them to use any
} >> *external* IPs at all (while for me hard coded or dhcp provided local
} >> IPs work fine).
} >> 
} >> I also do not want my ISP, Cloudflare, Google, or some hacker having
} >> access at either of them to be able to tell when "some thing" in my
} >> local network boots.
} >
} > I'm not sure I follow you. You don't want your NTP traffic to go outside
} > your local network, so I'm assuming you run your own local NTP servers
} > that synchronize with some trusted server on the Internet?
} >
} > I'm not an expert on NTP, but what sort of information do you think it
} > could leak that could compromise your system security? There are ways
} > for hackers to abuse NTP protocol, but that is where you should be using
} > NTS extensions.=20
} I can completely see where Martin is coming from, even if it's on the
} paranoid side - but NetBSD has a tradition of not offending paranoids by
} default.
} Certainly one can have a local server and point local things to it.

     Just take an RPi (or other SBC) and a GPS receiver, and you
too can run a stratum 0 server.

} By default we don't enable NTP, but the default config has the pool.  I
} find contacting random pool servers not a real problem, but connecting
} to anything connected with a big company that might think it ok to store
} data of what happened and use it later is potentially concerning.
} I also realize this is turtles all the way down tand the next question
} is leaking information about DNS.  But I don't think we should be

     I run my own DNS server.  Of course that doesn't stop my ISP
from sniffing my DNS traffic.

} configuring talking to Gooogle anything or even Cloudflare.
}-- End of excerpt from Greg Troxel

Home | Main Index | Thread Index | Old Index