2
I'm using DNS to hold forward zone records for my domain (example.com) and I'd like to add ntp as well so my servers can sync the time and reduce load off of third-party ntp pool.
I understand it's best to always separate services, but I wasn't sure if NTP was one of those. Is there any security risks of having both DNS and NTP on the same server?
linmod77x
Posted 2015-08-07T00:29:51.870
Reputation: 35
1
If you don't expect people to be able to hack either of these services (and in my opinion, both DNS and NTP are low-risk), then the security impact of having both on the same machine is still low. In a bigger network, this machine should not be accessible from the outside at all, reducing the attack surface further.
In my opinion, it is fair to say that NTP - next to e.g. DNS and DHCP - is essential to the network as a whole. So I would actually prefer to have it on the same machine (and invest in a failover solution).
Sebastian R.
Posted 2015-08-07T00:29:51.870
Reputation: 364
The two DNS servers are public facing, but NTP would be restricted to the private network so no one can just request the time from me without being allowed through the firewall. So in essence, NTP should be secure from a firewall perspective. The NTP server will have a firewall rule to sync the time from a NTP Pool time server, but one would assume those are somewhat safe at least. – linmod77x – 2015-08-07T01:52:14.333
Yes, you can do this, but make sure its not exposed to the internet. – cybernard – 2015-08-07T01:03:43.650
I will use iptables to restrict the firewall to only allow my servers to sync with my NTP server and then setup another rule for the NTP server to only sync outbound UDP 123. – linmod77x – 2015-08-07T01:56:07.803