Page 1 of 1

Suspicious DNS replies on 0.centos.pool.ntp.org query

Posted: 2020/02/12 09:03:54
by mokaz
Hi there all,

Crawling my logs, i'e found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:

Date/Time02-05 08:34
Device Time2020-02-05 08:34:04
Domain Name0.centos.pool.ntp.org
Event Time1580888044259527691
IP Address185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp2020-02-05 08:34:08
Time Zone+0100
Transaction ID29530

I've matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.
The issue is that the 185.220.101.xx IPs returned are Tor.Exit.Nodes.. Which i thought was weird.

If anyone could comment or acknowledge any issues DNS wise?

Thanks,
Regards,
Mokaz

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Posted: 2020/02/12 10:19:36
by TrevorH
I queried this with the infra guys and they tell me that this is entirely controlled by the ntp.org people and has nothing to do with CentOS. I believe we tell them that we need a pool, then they just create it and assign it ip addresses that they believe are correct and proper ntp servers.

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Posted: 2020/02/13 10:37:35
by mokaz
Hey Trevor, thanks for your time on this, appreciated.
I'll try to figure a little further @ntp.org because returning this (https://ip-46.com/185.220.101.20) as a centos pool member appears strange to me.

Thanks,
Regards,
m

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Posted: 2020/02/13 10:48:42
by TrevorH
It does sound strange to me too but in reality, the only thing that CentOS has to do with ntp pools is that we tell them that we need one and they do everything else. The ip addresses assigned to the pool and the DNS entries are all controlled by the ntp people.

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Posted: 2020/02/13 14:51:54
by mokaz
Well, i feel slightly less lonely now =)
https://community.ntppool.org/t/ntf-rec ... -pool/1557

According to the linked post;

We are finding that some IP addresses that used to be TOR activities are being reused in the NTP.org 2 pool. This is really bad and we are moving all NTP away from NTP.org 2 as a result.

Questionable i'd say.

Thanks again,
Kind regards,
Mokaz