What are the Privacy Implications of NTP Requests (time sync) and how to mitigats them

unman · February 4, 2025, 2:44pm

Continuing the discussion from Prevent Qubes OS clearnet leaks:

Of course.

I set clockVM as downstream qube,(if at all), and block update checks
from sys-net and sy-firewall.
I also set the firewall to block any traffic originating from those
infrastructure qubes.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

qubist · February 4, 2025, 4:14pm

I set clockVM as downstream qube,(if at all), and block update checks
from sys-net and sy-firewall.

What is a clockVM? How do you connect it?

I also set the firewall to block any traffic originating from those
infrastructure qubes.

Can you share your whole setup to clarify?

solene · February 4, 2025, 4:17pm

it’s the qube that sync the local clock with a remote NTP server

qubist · February 4, 2025, 6:40pm

it’s the qube that sync the local clock with a remote NTP server

I don’t see it in Qube manager and I can’t find any docs about it. Could you link to more info please?

marcos-morar · February 4, 2025, 6:45pm

What kind of information does ClockVM leak on the clearnet?
What kind of information can my ISP get from NTP requests from ClockVM?

Although, like @qubist, I’ve never seen ClockVM in Qubes, I first heard about this term in this discussion. Before that, I only knew that clocksync is a service generally assigned to sys-net.

solene · February 4, 2025, 6:56pm

I guess @unman have a dedicated qube for the clocksync and they named it ClockVM

marcos-morar · February 4, 2025, 7:06pm

Alright! I’ll rephrase my question then:

As normally the clocksync service is managed by sys-net, and it sends requests to NTP servers over the clearnet.

So what kind of information does the clocksync service exposes on the clearnet?

solene · February 4, 2025, 7:55pm

Nothing really, except your IP address to the NTP server.

qEawma5f · February 4, 2025, 7:59pm

Could you configure the Clock Qube as sys-whonix? I came across a post in the forums stating that it wasn’t possible, but that was some time ago

unman · February 5, 2025, 4:24am

What? No.
clockvm is a property of a Qubes system, like netvm is a property of a
qube.
You can set it in the Global Config GUI, or with qubes-prefs clockvm

Well, if you are taking steps to run all traffic through Tor, but leave
timesyncd alone to run in the clear, that helps with fingerprinting your
system as Qubes.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

marcos-morar · February 5, 2025, 8:17am

Let’s say I’m using custom obfs4 bridges. For my ISP, it appears I’m just visiting random websites, which I can confirm using Sniffnet. What harm does clocksync cause by giving my IP to an NTP server? If sending a request to NTP servers can reveal that the request is generated from a Linux machine, then that’s a problem.

The update check of Fedora on the clearnet seems to be an issue. I’ve added an update check exception in global configurations and disabled update checks for sys-net and sys-firewall. Now I’m hoping the Fedora update check won’t happen on the clearnet.

However, if the dom0 update check is also done on the clearnet, that will be a huge problem.

solene · February 5, 2025, 8:23am

It seems Fedora qubes use Fedora’s NTP servers. This might give some information about your OS (although one could use Fedora NTP server without using Fedora).

marcos-morar · February 5, 2025, 8:55am

I started observing clocksync requests to NTP servers since yesterday. My Clock Qube is sys-net-dvm, which is Fedora-based.

Yesterday, it was sending NTP requests to some ISP company—I forgot the name—and today it is sending NTP requests to time.cloudflare.com.

So, it sent NTP requests to two different servers in two days. Is that normal?

In these two days, it did not send NTP requests to the Fedora NTP server. As it sent requests to two different servers in two days, is it possible it will also send requests to the Fedora NTP server?

I’m confused. Shouldn’t there be only one NTP server for the Clock Qube to send requests to?

barto · February 5, 2025, 9:00am

That’s not how NTP best practices work. The NTP servers themselves can drift or become malicious, so polling/asking 3-4 servers ensures that you get the time correctly.

solene · February 5, 2025, 9:03am

True, but it could be multiple servers from the same provider, there are usually 3 or 4 NTP servers for a provider.

Maybe I don’t know how to check systemd-timesyncd configuration, I used

timedatectl show-timesync --all

Which reported this for me.

LinkNTPServers=
SystemNTPServers=
RuntimeNTPServers=
FallbackNTPServers=0.fedora.pool.ntp.org 1.fedora.pool.ntp.org 2.fedora.pool.ntp.org 3.fedora.pool.ntp.org
ServerName=2.fedora.pool.ntp.org
ServerAddress=2a01:cb08:95b6:8402:b91f:2182:6e65:a74d
RootDistanceMaxUSec=5s
PollIntervalMinUSec=32s
PollIntervalMaxUSec=34min 8s
PollIntervalUSec=34min 8s
NTPMessage={ Leap=0, Version=4, Mode=4, Stratum=2, Precision=-22, RootDelay=16.830ms, RootDispersion=564us, Reference=D2417747, OriginateTimestamp=Wed 2025-02-05 09:48:57 CET, ReceiveTimestamp=Wed 2025-02-05 09:48:57 CET, TransmitTimestamp=Wed 2025-02-05 09:48:57 CET, DestinationTimestamp=Wed 2025-02-05 09:48:57 CET, Ignored=no, PacketCount=8, Jitter=14.875ms }
Frequency=-917221

Are you sure it was generated by sys-net-dvm? Could be a qube doing NTP requests as well. What is using NTP protocol?

marcos-morar · February 5, 2025, 9:10am

Sys-whonix is my default NetVM, and no qube is directly connected to sys-firewall except for sys-whonix. So, it must be an upstream qube, meaning it’s either sys-net-dvm or sys-firewall. Right?

I was monitoring traffic on Sniffnet using my external IP, so I couldn’t determine which qube generated it. I’ll monitor the traffic now using the internal IP; maybe that will provide some insight.

solene · February 5, 2025, 9:13am

what do you mean by external IP? If it’s on the router, it could be any kind of equipment at home. A lot of devices use NTP to sync time.

marcos-morar · February 5, 2025, 10:03am

I’m not sure of the correct term for this. By “external IP,” I mean that if I’m not mistaken, sys-net uses two interfaces: one to connect with the internet device, such as a router or any device providing internet, and the second to connect with sys-firewall and internal Qubes.

I was monitoring the interface that connects with the router. This interface does not show whether the traffic is generated by sys-net itself or coming from sys-firewall.

marcos-morar · February 5, 2025, 11:48am

Update: I just checked on Sniffnet, and sys-net-dvm is generating NTP requests to time.cloudflare.com instead of receiving them from another qube.

Should I ask the question here or create a new post for it? I want to know how to change the FallbackNTPServers and ServerName entries in the timesync configuration so that it won’t send NTP requests to Fedora NTP servers.

barto · February 5, 2025, 11:54am

In addition to the pre-configured (by Fedora and/or Qubes) NTP servers, each interface can get specific, higher priority NTP severs configured by e.g., DHCP. So if your ISP router at home is configured by its upstream (ISP) to use time.cloudflare.com, it will pass this info thru DHCP. I’d double-check the router for its DHCP server configuration (or whatever device acts as a DHCP server on your net).

Edited to add:
On the other hand, this NTP connection does not leak anything, if all the ISP devices are configured like this. You’re just one small tree in the big forest