How can I replace Amazon's NTP server with a local one (router settings)?

vladikas · August 5, 2024, 11:34am

There is an OpenWRT router on the local network (12.09) and several Ezviz cameras. If the electricity goes out, then the time on the cameras gets lost and getting the recordings they make without a set time is a whole story...

I have built my NTP server on ESP. But I can't set up cameras to work with it, only 0.amazon.pool.ntp.org . DNS cannot be replaced, 8.8.8.8, 8.8.4.4. Perhaps also the router's address, I'm not sure. The task is to make sure that the camera receives time from the local NTP server if there is no Internet. Well, it will be a great option if the camera receives time from a real Amazon server, if there is Internet. And it would be necessary for the camera to still see one of Google's DNS servers so that the camera has access to its cloud.

The initial data.

NTP server 192.168.0.160 (Wi-Fi)
Contains an NTP server on port 123
Contains a DNS server with a single record (0.amazon.pool.ntp.org 192.168.0.160)
Redirects all DNS queries with other names to the router, for example (I can enter any IP address).

Camera 192.168.0.140 (Wi-Fi)
Requests the NTP server 0.amazon.pool.ntp.org
DNS 8.8.8.8 and 8.8.4.4

Router 192.168.0.100

/etc/config/network and /etc/config/wireless

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.100'

config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0 1 2 3 4'

config interface 'WAN_HUAWEI'
option proto 'dhcp'
option ifname 'eth2'

config interface 'WAN_ZTE'
option proto 'dhcp'
option ifname 'usb0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option macaddr '90:f6:52:00:00:00'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option country 'RU'
option hwmode '11ng'
option distance '1'
option channel '6'
option txpower '20'
option htmode 'HT20'

config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option network 'lan'
option encryption 'psk-mixed'
option key '123456789'

AndrewZ · August 5, 2024, 11:45am

First intercept DNS:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Then configure either an A or CNAME record for 0.amazon.pool.ntp.org in your local DNS (dnsmasq) that will point to your local NTP server.

egc · August 5, 2024, 12:12pm

Or simply intercept NTP (port 123) the same as you intercept DNS:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns?

lleachii · August 5, 2024, 12:17pm

Do you mean you're running OpenWrt version 12.09?

Despite it being very old and end-of-life for years (over 12 years), some older versions had NTP issues.

vladikas · August 5, 2024, 12:20pm

The device is old, but it works. Why change it?
I'm trying to set up port 53 forwarding. It's difficult for me, I don't understand much about networks.

lleachii · August 5, 2024, 12:25pm

My bad, I thought you were having NTP setup issues. I'm not even sure the new firewall instructions being posted will work.

I won't elaborate on all the known/discovered vulnerabilities, etc. - just I assumed you you wanted working NTP - and I noted older version had issues (since it's old - I don't have notes on which versions, sorry).

vladikas · August 5, 2024, 2:09pm

If nothing is changed, then everything works in the basic configuration. If there is an Internet connection, the camera connects to it and adjusts the time. Everything is fine. The problems start when I want to use a local NTP server. Now I'm trying to follow the recommendations that I was given above. It hasn't worked out yet...

vladikas · August 5, 2024, 3:29pm

Syslog shows this:
Aug 5 18:03:43 OpenWrt daemon.info dnsmasq[3074]: query[A] 0.amazon.pool.ntp.org from 192.168.0.140
Aug 5 18:03:43 OpenWrt daemon.info dnsmasq[3074]: forwarded 0.amazon.pool.ntp.org to 192.168.0.160

I also set up the router's NTP server.

Aug 5 18:20:22 OpenWrt daemon.info dnsmasq[1601]: query[A] 0.amazon.pool.ntp.org from 127.0.0.1
Aug 5 18:20:22 OpenWrt daemon.info dnsmasq[1601]: forwarded 0.amazon.pool.ntp.org to 192.168.0.160

But I don't see my NTP server receiving these requests. I will continue my experiments tomorrow...

lleachii · August 5, 2024, 4:15pm

Since 12.09 is old and unsupported, it's unlikely anyone has useful information. I noted to you that version 12 [may have] had issues with NTP during that "era" - and I personally useed ntpd during that time as a workaround because of it.

I hope this helps.

Feel free to allow others to respond - I hope the best for your issue.

Configuration syntax has significantly changed since then.

Doppel-D · August 5, 2024, 4:28pm

With unbound it seems to be a bit more tricky. Has someone by chance tried if a cname entry is enough, means setup only a cname entry for ntp-g7g.amazon.com will suffice....or is it necessary to setup an additionally authorative DNS server?

CNAMEs

You can add a CNAME entry in local-data, however as Unbound isn't an Authoritative resolver it won't expand it. If a client makes a query for an A record they won't receive the CNAME in response. More info on the Unbound mailing lists

The only time your entry will be returned is if the client queries for a CNAME, which in practice means it'll probably be returned quite rarely

Still, if you want to add a CNAME anyway, then you can do this

local-data: "computer1 CNAME mycomputer.home"

If you really need to have your local DNS server resolve the CNAMES, the trick is to configure BIND or NSD on another port and create a stub-zone within Unbound.

slh · August 6, 2024, 6:00am

This topic was automatically closed after 13 hours. New replies are no longer allowed.