What is the safest way to allow internet access to the time?

I am trying to set up a firewall (Cisco ASA, but I don't think that matters) to allow an internal time server out to the internet to synch its clock. The issue is this time server is also a DC/DNS server. At the moment, the firewall is blocking all outside access anywhere except for a VPN connection to a specific server at a different office. We cannot use that link to synch the time though.

I'm thinking of using pool.ntp.org. However in order to do that, I would have to allow DNS. Since the time pool is a moving target, I can't allow just by IP, correct? But if I allow DNS that means other devices could get internet name resolution, even if they aren't allowed any sort of external access. Is there any risk in that? Or perhaps there is a better way to do this?
LVL 26
Brian BEE Topic Advisor, Independant Technology ProfessionalAsked:
Who is Participating?
 
Brian BConnect With a Mentor EE Topic Advisor, Independant Technology ProfessionalAuthor Commented:
The concern is that IPs could change, so I'm going to use a different time source. So it sounds like I can't do this as I really wanted, but the information provided was helpful, thanks.
0
 
nociConnect With a Mentor Software EngineerCommented:
If you narrow down somewhat...
the pool is too large, but there are also regional pools, or country based pools.
Near NTP servers are prefered above one on the opposite of the Globe.

Check out this site for the rules of engagement.
http://support.ntp.org/bin/view/Servers/WebHome

http://support.ntp.org/bin/view/Servers/NTPPoolServers
From there you can zoom in on continent etc. etc.

If you select country based then most probably there are only one or two available.
0
 
Brian BEE Topic Advisor, Independant Technology ProfessionalAuthor Commented:
Yes, but will those IPs change?
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
then you cannot use a pool you have to use a specific server
nslookup server 0.north-america.pool.ntp.org will give you 4 ip addresses that you can use.
> server 0.north-america.pool.ntp.org
Default Server:  0.north-america.pool.ntp.org
Addresses:  216.6.2.70
          35.171.237.77
          173.255.192.10
          69.164.198.192

>

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.