I had NTP set to prefer 0.opnsense.pool.ntp.org
Noticed in firewall live log repeated hits to 85.199.214.99:123 - server1.quickdrivingtestcancellations.net:123 (NTP)
I have low confidence in this domain/IP.
Have set to not prefer any *.opnsense.pool.ntp.org and instead added cloudflares NTP server.
Not sure of exact nature of the suspicions but on various threat intel the IP and domain is arousing suspicion.
What device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.
That looks like is legitimate NTP server with two domain names:
ntp2.leontp.com.
server1.quickdrivingtestcancellations.net.
Official NTP.org score for that server:
https://www.ntppool.org/en/scores/85.199.214.99
dig -x 85.199.214.99
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> -x 85.199.214.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62989
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;99.214.199.85.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.214.199.85.in-addr.arpa. 29466 IN PTR ntp2.leontp.com.
99.214.199.85.in-addr.arpa. 29466 IN PTR server1.quickdrivingtestcancellations.net.
The domain is unusual "quickdrivingtestcancellations. Why would a driving test cancellation service volunteer as an NTP server? Maybe they've errantly become an NTP server and got added into the pool?
I would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.
Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation (https://lowendtalk.com/discussion/195800/issues-with-ecomuk-single-mode-networks), whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.
Quote from: Greg_E on March 10, 2025, 02:25:51 PMWhat device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.
It's the NTP service on the firewall itself making these connections. It was set to use "0.opnsense.pool.ntp.org
and the "dubious" domain/address is part of that pool.
Quote from: meyergru on March 10, 2025, 02:51:27 PMI would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.
Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation (https://lowendtalk.com/discussion/195800/issues-with-ecomuk-single-mode-networks), whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.
Ahhh. insightful and educational response. Thank you. My biggest concern at the time was the volume of requests which were going to that NTP server. Almost every minute or multiple per minute.
I put up a "cheap" GNSS NTP server so I don't go looking around the web much.
Every once in a while one or both of these two things happen:
1. An enthusiast is hired by an oddball organization and they give a permission to use their infrastructure for a good cause or that enthusiast uses it w/o their permission.
2. The organization comes up with a creative way to broaden their Internet footprint by volunteering for some free services.
So I would not worry too much about getting time from any such. After all, it is a matter of sending and receiving 2 UDP packets between the router and the NTP server. It's not that they go full-on hacking on you.
Compared to that, I am getting non-stop port-scanned by Microsoft, even after a cease and desist letter.