I am trying to set up a firewall (Cisco ASA, but I don't think that matters) to allow an internal time server out to the internet to synch its clock. The issue is this time server is also a DC/DNS server. At the moment, the firewall is blocking all outside access anywhere except for a VPN connection to a specific server at a different office. We cannot use that link to synch the time though.
I'm thinking of using pool.ntp.org. However in order to do that, I would have to allow DNS. Since the time pool is a moving target, I can't allow just by IP, correct? But if I allow DNS that means other devices could get internet name resolution, even if they aren't allowed any sort of external access. Is there any risk in that? Or perhaps there is a better way to do this?