NTP to dubious domain - 85.199.214.99 - server1.quickdrivingtestcancellations.ne

Started by Dizzy Reprobate, March 10, 2025, 02:09:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2025, 02:09:26 PM Last Edit: March 10, 2025, 03:03:18 PM by Dizzy Reprobate
I had NTP set to prefer 0.opnsense.pool.ntp.org

Noticed in firewall live log repeated hits to 85.199.214.99:123 - server1.quickdrivingtestcancellations.net:123 (NTP)

I have low confidence in this domain/IP.

Have set to not prefer any *.opnsense.pool.ntp.org and instead added cloudflares NTP server.

Not sure of exact nature of the suspicions but on various threat intel the IP and domain is arousing suspicion.
March 10, 2025, 02:25:51 PM #1
What device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.
March 10, 2025, 02:29:59 PM #2
That looks like is legitimate NTP server with two domain names:

ntp2.leontp.com.
server1.quickdrivingtestcancellations.net.

Official NTP.org score for that server:
https://www.ntppool.org/en/scores/85.199.214.99

Code Select
dig -x  85.199.214.99

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> -x 85.199.214.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62989
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;99.214.199.85.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
99.214.199.85.in-addr.arpa. 29466 IN    PTR     ntp2.leontp.com.
99.214.199.85.in-addr.arpa. 29466 IN    PTR     server1.quickdrivingtestcancellations.net.
Deciso DEC740
March 10, 2025, 02:47:14 PM #3
The domain is unusual "quickdrivingtestcancellations. Why would a driving test cancellation service volunteer as an NTP server? Maybe they've errantly become an NTP server and got added into the pool?
March 10, 2025, 02:51:27 PM #4
I would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.

Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation, whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 10, 2025, 03:00:40 PM #5
Quote from: Greg_E on March 10, 2025, 02:25:51 PMWhat device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.

It's the NTP service on the firewall itself making these connections. It was set to use "0.opnsense.pool.ntp.org
 and the "dubious" domain/address is part of that pool.
March 10, 2025, 03:02:02 PM #6
Quote from: meyergru on March 10, 2025, 02:51:27 PMI would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.

Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation, whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.


Ahhh. insightful and educational response. Thank you. My biggest concern at the time was the volume of requests which were going to that NTP server. Almost every minute or multiple per minute.
Print
Go Up Pages1
User actions