Joined: 07 Mar 2007
|Posted: Tue Oct 27, 2020 12:05 pm Post subject: [SOLVED] dnsmasq on Raspberry Pi - ntp issues
|(Actually, I solved this on Arch linux, but I thought I'd record it here if anyone else hits the problem)
I setup my Pi as the authoritative DNS server using DNSSEC for my home network; it also provides a local NTP server daemon. The configuration is much as described in many places on the web, so I won't bore you with the details. However... on rebooting, my DNS disappeared, and all the other devices on the network started resolving everything to 127.0.0.1. Dnsmasq claimed to be running OK, but clearly wasn't. Then I noticed the Pi's time was stuck some days in the past, and its NTP daemon wasn't happy. This turns out to be the key issue.
NTP finds the current time from the configured pool of servers, which of course requires DNS to find them (unless you hard code IP addresses, which way lays madness). But DNSSEC checks the timestamps on the DNS records, and doesn't trust one set in the future. As Pi users will know, there's no hardware clock, so there are various hacks to get a booting system before NTP comes up, but they all start the time in the past immediately after boot. So NTP won't give the correct time until DNS gives the pool server names, and DNS won't resolve names until the Pi has the correct time. Catch 23.
Dnsmasq solved this problem by including a couple of extra configuration/command line parameters, but they are documented neither in the man page nor the sample /etc/dnsmasq.conf. You need:
# Touch a file, such as that named below, to be R/W by dnsmasq or whatever userid it runs under
The first line gets dnsmasq to suspend timestamp checks until the file named in the second line has a date older than the system date. That means dnsmasq will resolve the ntp pool names on reboot, ntp will set the time, then the file becomes older than the system, so dnsmasq enables timestamp checks and touches the file again, updating its timestamp.
There's probably a window for a denial of service attack, but you probably shouldn't be using a Pi anyway if that's an issue.