Security Fun.

I recently locked down several things in my home network, including ntp.  Requests for time are all redirected to my security device for the official household time.  The security device obtains time from internet devices I trust, and only those.

But, as always, there are devices that don't want to co-operate.  Take, for example, the nvidia shield.  I found that after making the change if I needed to hard-boot that device it would come back up showing the wrong time in automatic time mode.  Strange, since it's ntp requests should be getting handled by the security device.

Sometimes you have to take things a step further and figure out why it's not co-operating.  I did some packet sniffing and found that the device wanted ntp from time.android.com and when the response didn't come from that IP it was ignored. 

The solution?  Intercept the DNS request, tell the device the the IP for time.android.com is my security device and let it think all is well:

I fixed it using dnsmasq and telling it the IP address to time.android.com is my router.

Now when I unplug my device and plug it back in it has no problem getting time from my router. I got really tired of having to remember to manually enter time and date after every hard reboot of the system and then wondering why some applications wouldn't work right or why the device was slow... correct time is very important for secure communications. ;) If you have Merlin RT on your router you can do this with dnsmasq over-rides: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-domains-with-dnsmasq Basic steps: Go to Administration -> System Enable: Enable JFFS custom scripts and configs config option Enable: Enable SSH config option Create configuration file for dnsmasq: touch /jffs/configs/dnsmasq.conf.add Edit configuration file: vi /jffs/configs/dnsmasq.conf.add. - for typing press I, to quit typing press ESC, to delete line press ESC and then write dd and press ENTER Add configuration for resolving domain names into dnsmasq.conf.add (Replace 192.168.1.1 with your router's LAN IP) ---- address=/time.google.com/192.168.1.1 # Force nvidia ntp to router (just in case update points it to google.com again) address=/time.android.com/192.168.1.1 # Force nvidia ntp to router dhcp-option=lan,42,192.168.1.1 # ntpMerlin --- Restart dnsmasq service (or just reboot router): service restart_dnsmasq Now your shield will happily accept time from your router.