If I am running ntp (via ntp.conf) heavily restricted, I cannot use a pool for a server. Why? Because the call to restrict (to allow access for the pool) seems to be another DNS Lookup, which returns another IP value than what was used to originally call the server. Please show me that I am wrong/being stupid about this.
Crude Example (portion of ntp.conf):
server 0.debian.pool.ntp.org iburst
restrict default ignore
restrict -6 default ignore
restrict 0.debian.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
This does not work (I think) because DNS calls to 0.debian.pool.ntp.org return different IP addresses and thus the wrong IP address is allowed via the (poorly named) restrict.
Use the builtin source
alias/directive/whatever:
restrict source nomodify notrap noquery
Updatedd to include documentation for source
:
restrict source configures a template restriction automatically added
at runtime for each association, whether configured, ephemeral, or
preemptible, and removed when the association is demobilized.
From: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict