[chrony-users] Repeated 'refresh'es may cause excessive DNS queries

[t.barnewski@xxxxxx]

I've found that repeatedly issuing "refresh" commands causes chrony to resolve
each configured NTP server name multiple times. Furthermore, it appears to me
that the number of resolve attempts per domain rises with each refresh.

This is especially problematic if:
 - The local DNS resolver does not cache replies
 - The upstream DNS server replies with a Time To Live (TTL) of 0
because then chrony will actually send DNS queries to the upstream DNS, instead
of the request being served from the local DNS cache, potentially flooding the
DNS server with hundreds of requests in rapid succession.

I can reproduce the issue with chrony 4.3 through 4.5.

The exact number of requests issued may depend on timing or some other factors.
My current 'high score' stands at ~500 DNS queries per source for one 'refresh'.

STEPS TO REPRODUCE:
1) Install a DNS server on machine A (can also be a VM) and configure it to
always reply with a TTL of 0 for certain domains. This can be accomplished with
dnsmasq and a hardcoded entry in /etc/hosts for, say, 2.europe.pool.ntp.org:

    > cat /etc/hosts
    # HACK for testing: use ptbtime1.ptb.de as source
    192.53.103.108   2.europe.pool.ntp.org
    [snip]

2) On machine B, point the local DNS resolver to machine A.
Install chrony and configure it to use only the source from step 1.

    > cat /etc/chrony/chrony.conf
    pool 2.europe.pool.ntp.org minpoll 10 iburst
    [snip]

3) Repeatedly issue "chronyc refresh" commands on machine B and watch the sparks
(and the DNS queries) fly.

I have attached the resulting DNS traffic from a single "chronyc refresh" with
the exact same setup as described above.

Regards,
Tim

Attachment: dns_trace.pcapng
Description: Binary data