What's new

[SOLVED] Time synchronization problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Try running this now to see if the anycast ntp server responds consistently:
Code:
ntp -w -p ntp.se
I get two lines of response, then i seems to hang and I exit with ctrl-c. The result:
Code:
XXXX@RT-AC68U:/tmp/home/root# ntp -w -p ntp.se
ntp: reply from 194.58.200.20: offset:+0.001310 delay:0.001709 status:0x24 strat:1 refid:0x00535050 rootdelay:0.000000 reach:0x01
ntp: reply from 194.58.200.20: offset:+0.001305 delay:0.001728 status:0x24 strat:1 refid:0x00535050 rootdelay:0.000000 reach:0x03
EDIT: Well, a third line appeared after a bit of time... And a fourth. Takes a few second beetween each response. The first two rows I get quite quickly.
 
You are using encrypted DNS service. I bet you adding the following to your dnsmasq.conf.add will solve your problem:

Code:
server=/ntp.se/1.1.1.1
I was heading down that path too, but the router is not using dnsmasq for lookups. I'm guessing the internet connection isn't fully up when NTP initially tries to sync. But I don't know why it wouldn't try again later.
 
The certificate for 1.1.1.1 is only valid between 1/27/2019 and 2/1/2021. If the router's clock is outside of that time frame before NTP sync, it's going to reject the certificate for any DoH lookups.
 
The certificate for 1.1.1.1 is only valid between 1/27/2019 and 2/1/2021. If the router's clock is outside of that time frame before NTP sync, it's going to reject the certificate for any DoH lookups.
True for DoH. But when the router tries to sync NTP, it's only going to use the local resolver pointed to 1.1.1.1 the old fashioned way without DoH (53/udp). There should be no reason the router can't lookup ntp.se and sync time, unless the WAN connection isn't fully operational at that point in the boot process.

@FalconB it might be more useful to share a full syslog from a boot sequence (the previous syslog was filtered only for ntp messages).
 
True for DoH. But when the router tries to sync NTP, it's only going to use the local resolver pointed to 1.1.1.1 the old fashioned way without DoH (53/udp). There should be no reason the router can't lookup ntp.se and sync time, unless the WAN connection isn't fully operational at that point in the boot process.
Interesting. So if you set DNS Privacy Protocol to DNS-over-TLS, the router doesn't use DoT to resolve requests that originate from the router itself?
 
Interesting. So if you set DNS Privacy Protocol to DNS-over-TLS, the router doesn't use DoT to resolve requests that originate from the router itself?
Depends on Tools / Other Settings / Wan: Use local caching DNS server as system resolver (default: No).
 
Depends on Tools / Other Settings / Wan: Use local caching DNS server as system resolver (default: No).
That puts the router in an interesting position if Connect to DNS Server automatically is ticked No and DNS Server1 and DNS Server2 are blank. What will it do in that case?
 
That puts the router in an interesting position if Connect to DNS Server automatically is ticked No and DNS Server1 and DNS Server2 are blank. What will it do in that case?
It would be broken since it has no normal DNS servers available to bootstrap everything else.
 
It would be broken since it has no normal DNS servers available to bootstrap everything else.
My router is configured as described above, except I use dnscrypt-proxy instead of DoT. A simple nslookup from a shell suggests that it will use dnsmasq in that case:

Code:
admin@RT-AC88U:/tmp/home/root# nslookup google.com
Server:    0.0.0.0
Address 1: 0.0.0.0

Name:      google.com
Address 1: 2404:6800:4003:c04::71
Address 2: 172.217.194.102
Address 3: 172.217.194.139
Address 4: 172.217.194.100
Address 5: 172.217.194.101
Address 6: 172.217.194.113
Address 7: 172.217.194.138
 
My router is configured as described above, except I use dnscrypt-proxy instead of DoT. A simple nslookup from a shell suggests that it will use dnsmasq in that case:

Code:
admin@RT-AC88U:/tmp/home/root# nslookup google.com
Server:    0.0.0.0
Address 1: 0.0.0.0

Name:      google.com
Address 1: 2404:6800:4003:c04::71
Address 2: 172.217.194.102
Address 3: 172.217.194.139
Address 4: 172.217.194.100
Address 5: 172.217.194.101
Address 6: 172.217.194.113
Address 7: 172.217.194.138
Is dnsmasq or dnscrypt-proxy listening on all interfaces (0.0.0.0:53)?
Code:
netstat -nlup | grep ":53 "
 
Code:
admin@RT-AC88U:/tmp/home/root# netstat -nlup | grep ":53 "
udp        0      0 192.168.2.1:53        0.0.0.0:*                           395/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           395/dnsmasq
udp        0      0 192.168.1.1:53        0.0.0.0:*                           395/dnsmasq
dnsmasq is set to query dnscrypt-proxy.
 
Code:
admin@RT-AC88U:/tmp/home/root# netstat -nlup | grep ":53 "
udp        0      0 192.168.2.1:53        0.0.0.0:*                           395/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           395/dnsmasq
udp        0      0 192.168.1.1:53        0.0.0.0:*                           395/dnsmasq
dnsmasq is set to query dnscrypt-proxy.
OK that's interesting to learn. What's your /et c/resolv.conf look like in this scenario?
 
0 bytes
Code:
-rw-r--r--    1 admin    root             0 May  4  2018 resolv.conf
 
That puts the router in an interesting position if Connect to DNS Server automatically is ticked No and DNS Server1 and DNS Server2 are blank.

It should never be set that way, you MUST have a valid DNS configured there.
 
It should never be set that way, you MUST have a valid DNS configured there.
JF0woKN.png


Code:
admin@RT-AC88U:/tmp# nvram show | grep 'wan_dns'
wan_dns=
wan_dns2_x=
wan_dns1_x=
wan_dnsenable_x=0
size: 66911 bytes (64161 left)
admin@RT-AC88U:/tmp#

Perhaps it works because DNS filtering forces all DNS requests to dnsmasq? I just thought that only happened to client DNS and not to router DNS.
 
That explains it. Thanks for finding that.

I feel like this throws my understanding of the Wan: Use local caching DNS server as system resolver (default: No) because mine is set to No and the local caching DNS server is being used as the system resolver anyway. Perhaps something clarifying that the option is there to override any WAN DNS servers configured by DHCP or manually in the WAN settings, but absent any configured WAN DNS servers it will have no effect.
 
Last edited:
This is going to be a long post, but I still don't get it to work. Below is the results of a bunch of tests I have done and some config-screenshots. I have also noticed that I have a DNS leak while the time is not set (checking through ipleak.net showing multiple dns-servers beeing used), but it's ok when the time is set. And as you also can see, I use a script from @Martineau to create a VLAN to separate some devices (thank you VERY much!). Anyways, the test results:

EDIT: There seems to be character-combinations in the syslog that is not allowed on the forum, hence I can't upload it. Any ideas of which combos that are not allowed?

Code:
XXXX@RT-AC68U:/jffs/scripts# ntp -w -p ntp.se
ntp: reply from 194.58.200.20: offset:+50897063.052613 delay:0.001979 status:0x24 strat:1 refid:0x00535050 rootdelay:0.000000 reach:0x01
ntp: reply from 194.58.200.20: offset:+50897063.052627 delay:0.001978 status:0x24 strat:1 refid:0x00535050 rootdelay:0.000000 reach:0x03

Code:
XXXX@RT-AC68U:/jffs/scripts# netstat -nlup | grep ":53 "
udp        0      0 127.0.0.1:53            0.0.0.0:*                           5449/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           5449/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           5449/dnsmasq
udp        0      0 192.168.3.1:53          0.0.0.0:*                           5449/dnsmasq
udp        0      0 192.168.144.1:53        0.0.0.0:*                           5449/dnsmasq
udp        0      0 127.0.1.1:53            0.0.0.0:*                           5446/stubby

Code:
XXXX@RT-AC68U:/jffs/scripts# cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 127.0.1.1

Code:
XXXX@RT-AC68U:/jffs/scripts# nvram show | grep 'wan_dns'
size: 52130 bytes (13406 left)
wan_dns=1.1.1.1
wan_dns2_x=
wan_dns1_x=1.1.1.1
wan_dnsenable_x=0

Code:
XXXX@RT-AC68U:/jffs/scripts# cat /etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,192.168.1.230,192.168.1.250,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=tun21
interface=tun22
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
dnssec-no-timecheck
stop-dns-rebind
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

server=/ntp.se/1.1.1.1

[...]

Code:
XXXX@RT-AC68U:/jffs/scripts# nslookup $(nvram get ntp_server0)
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      ntp.se
Address 1: 2a01:3f7::1 ntp.se
Address 2: 194.58.200.20 ntp.se

Code:
XXXX@RT-AC68U:/jffs/scripts# nslookup google.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      google.com
Address 1: 2a00:1450:400f:80d::200e arn09s20-in-x0e.1e100.net
Address 2: 172.217.20.46 par10s09-in-f46.1e100.net

Code:
XXXX@RT-AC68U:/jffs/scripts# nvram show | grep ntp
ntpd_server_redir=0
ntp_server0=ntp.se
ntp_server1=
rc_support=mssid 2.4G 5G update usbX2 switchctrl manual_stb pwrctrl WIFI_LOGO nandflash meoVoda movistarTriple app reboot_schedule ipv6 ipv6pt PARENTAL2 dnsfilter ntpd dnspriv dnspriv dualwan pptpd openvpnd utf8_ssid printer modem webdav rrsut cloudsync media appnet timemachine hdspindown diskutility nfsd dnssec dblog email bwdpi snmp tor HTTPS letsencrypt ssh vpnc repeater psta wl6 optimize_xbox wifi_tog_btn user_low_rssi bcmfa tcode usericon stainfo cloudcheck realip netool cfg_sync amas bcmwifi eula proxysta
ntp_ready=0
size: 52130 bytes (13406 left)
ntpd_enable=0

Code:
XXXX@RT-AC68U:/jffs/scripts# date
Sat May  5 07:27:43 DST 2018

Advanced tweaks.JPG

Basic config.JPG

WAN DNS.JPG
 
Last edited:
I use Clouflare’s ntp server IP address, rather than a domain name.
Any ntp IP address would do I guess.

That way when restarting, your time acquisition isn’t dependant on a dns resolution to get up & running?

Those with more knowledge than me, chime in here. :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top