NTP Pool News

Using the NTP Pool /
What IPs do I need to allow-list to use the NTP Pool?

the set of IP-addresses returned by our authoritative DNS-servers changes every few minutes so the load will be evenly distributed as good as possible among all volunteered time server resources.

It’s not possible to allow-list all the IPs, you have to allow the traffic by port number.

Stateful firewalls are capable of regarding the reply package as ‘related’ traffic. Therefore, you only need to allow outbound traffic to 0.0.0.0/0 UDP destination port 123 and all ‘related’ inbound traffic. So, there is no need at all to allow 0.0.0.0/0 incoming connections.

An alternative is to setup a server in your “DMZ” (or outside the firewall) and run an ntp server there. Then your internal systems can synchronize time from your own trusted server at that IP address.

Some firewall systems or gateway boxes also have NTP functionality built-in that your internal systems might be able to use.