Odd NTPD entry in system log.

[Jakenaked]

I noticed an odd line in my system log output after making some router changes that required the router to reboot. I don't doubt there is a reasonable explanation for it but for the life of me I can't figure out what it would be. Here is the tail of the log:

Jan 5 06:15:27 freenas dhclient: New IP Address (re0): 192.168.1.254
Jan 5 06:15:27 freenas dhclient: New Subnet Mask (re0): 255.255.255.0
Jan 5 06:15:27 freenas dhclient: New Broadcast Address (re0): 192.168.1.255
Jan 5 06:15:27 freenas dhclient: New Routers (re0): 192.168.1.1
Jan 5 06:15:28 freenas ntpd[2193]: sendto(192.96.207.244) (fd=22): No route to host
Jan 5 06:15:28 freenas dhclient: New Routers (re0): 192.168.1.1

My network doesn't have any special NTP server configured so I'm just wondering where the 192.96.207.244 address came from. The 192.x.x.x address seems an odd choice. FreeNAS is setup just to use the default NTP servers, 0.freebsd.pool.ntp.org ... 2.freebsd.pool.ntp.org

Externally, the IP location info for that address is:

IP Address: 192.96.207.244
Domain: iv.lt
ISP: Uab Interneto Vizija

Country Code: US
Country Name: United States
Time Zone: -05:00
Region: Virginia
City: Manassas
ZIP Code: 20109
Area Code: 571/703

It looks like it's just a webserver with a site that isn't set up yet. *shrug*

I doubt it matters, but my version info is:
FreeBSD freenas.local 9.2-RELEASE-p12 FreeBSD 9.2-RELEASE-p12 #0 r262572+b043649 : Sun Sep 28 23:03:31 PDT 2014


I'm just curious more than anything where that IP came from, any guesses?

 

[depasseg]

pool.ntp.org uses a collection of hosts to provide time resolution. It's not always the same IP address. So that is where the IP address likely came from.

As for the error, it could just be that the host was down.

 

[jgreco]

Jan 5 06:15:28 freenas ntpd[2193]: sendto(192.96.207.244) (fd=22): No route to host
[...]
The 192.x.x.x address seems an odd choice.

No it doesn't seem an odd choice. "192" is not a designation that it is private IP space; most of 192.* is allocated to public use. However, 192.168.* is allocated to RFC1918 for use as private IP space (for NAT, etc). Outside of that specific /16, most of the space is allocated and most of it is public routed space. Allocations within 192.* tend to be some of the oldest allocations.

As depasseg notes, the NTP pool project has many, many participating servers, certainly a bunch will be on the 192.* nets.

The error popped up because your DHCP client momentarily pulled the default route while it registered a change.

 

[Jakenaked]

Aye, I suppose I should clarify. I didn't mean to imply that the 192.* address was strange for an address in and of itself, I was just thinking it odd if it were a placeholder type address, in a 169.254.x.x fashion.

I am sure there are tons of NTP servers in the BSD pools, but it did pique my interest after I had done an nslookup on those servers and didn't find the IP in question:

> 0.freebsd.pool.ntp.org
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Address: 204.235.61.9
Address: 171.66.97.126
Address: 70.35.113.44
Address: 206.253.167.5

> 1.freebsd.pool.ntp.org
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Address: 97.107.128.58
Address: 66.228.59.187
Address: 199.102.46.79
Address: 66.228.38.73

> 2.freebsd.pool.ntp.org
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Address: 199.102.46.77
Address: 208.68.36.196
Address: 38.229.71.1
Address: 173.230.235.13

I don't doubt the results above represent many more servers than the IP's would suggest. Heck each one could be a 24 server load-balanced group, but I'm still not sure where FreeNAS would have grabbed that IP from. I don't know how to get more than 4 results from a single nslookup. I haven't looked into it so there could be more than four A records per NTP pool. Even if that is the case though, how would FreeNAS retrieve that IP?

Anyhow, I do appreciate the replies, always fun to poke the curiosity bear with a stick once in a while.

 

[jgreco]

Run those queries again later, and then tomorrow, and note that you may not see even a single IP address repeated twice. It balances load by handing out (what appear to be) random server addresses from the large pool of available servers participating in the NTP pool project.

It's a DNS server- side trick.

 

[depasseg]

There are over 3800 servers currently operating, so you will need to refresh many times to see them all.
http://www.pool.ntp.org/en/