4 Replies Latest reply on Oct 29, 2015 7:33 AM by rh0 "ntpq -p" no longer works




      we are monitoring our Web Gateway for several parameters. One parameter is that the output of "ntpq -p" should be something meaningful indicating that Web Gateway is connected to one or more NTP servers.


      Since the update to the output is:


      # time ntpq -p

      localhost: timed out, nothing received

      ***Request timed out


      real    0m10.011s

      user    0m0.000s

      sys     0m0.000s



      Sniffing around with strace a bit lead to


      connect(3, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("")}, 16) = 0

      sendto(3, "\26\1\0\1\0\0\0\0\0\0\0\0", 12, 0, NULL, 0) = 12

      select(4, [3], NULL, NULL, {5, 0})      = 0 (Timeout)


      NTPQ connects to, sends some data, then waits for an answer and runs into a timeout. On the receiving end (NTPD) I see the data coming in but it does not bother with an answer. The reason is in /etc/ntp.conf:


      restrict default kod nomodify notrap nopeer noquery


      Removing the "noquery" part and restarting ntpd solves the problem. Actually, a global "noquery" is a bit harsh. If you insist on it then please add



      restrict ::1


      which lifts the restriction for localhost.


      Kind regards,


        • 1. Re: "ntpq -p" no longer works



          pushing the topic ... had the same problem when updating to 7.5.


          Kind regards,


          • 2. Re: "ntpq -p" no longer works

            The problem with allowing queries from is that you can potentially send packets from external sources with spoofed source IP via UDP. Since there have been multiple vulnerabilities in the past related to status queries we decided to add noquery to the configuration.




            • 3. Re: "ntpq -p" no longer works

              Hi Ralf,


              traffic from shouldn't get through the internet facing router in the first place. A network admin allowing this is a $INSERT_YOUR_FAVORITE_INSULT_HERE.


              Anyway: how do you propose we monitor the NTP status? In any corporate environment monitoring the NTP status is crucial to external auditors because they insist that logs are in sync. Actually, I concur.


              Consider this a request to expose NTP to a set of configurable IP addresses.


              Kind regards,


              • 4. Re: "ntpq -p" no longer works

                Yes, most routers or firewalls would not allow such packets, but we know about deployments where we can't rely on that.


                Ideally ntpd would provide unix domain socket for queries, but I don't think that's implemented. We need to look into the code to find out what other option we might have. May I ask you to open a feature request for this?