Product SiteDocumentation Site

15.9. Understanding the ntpd Configuration File

The daemon, ntpd, reads the configuration file at system start or when the service is restarted. The default location for the file is /etc/ntp.conf and you can view the file by entering the following command:
~]$ less /etc/ntp.conf
The configuration commands are explained briefly later in this chapter, see Section 15.17, “Configure NTP”, and more verbosely in the ntp.conf(5) man page.
Here follows a brief explanation of the contents of the default configuration file:
The driftfile entry
A path to the drift file is specified, the default entry on Fedora is:
driftfile /var/lib/ntp/drift
If you change this be certain that the directory is writable by ntpd. The file contains one value used to adjust the system clock frequency after every system or service start. See Understanding the Drift File for more information.
The access control entries
The following line sets the default access control restriction:
restrict default nomodify notrap nopeer noquery
  • The nomodify options prevents any changes to the configuration.
  • The notrap option prevents ntpdc control message protocol traps.
  • The nopeer option prevents a peer association being formed.
  • The noquery option prevents ntpq and ntpdc queries, but not time queries, from being answered.


The ntpq and ntpdc queries can be used in amplification attacks, therefore do not remove the noquery option from the restrict default command on publicly accessible systems.
See CVE-2013-5211 for more details.
Addresses within the range are sometimes required by various processes or applications. As the "restrict default" line above prevents access to everything not explicitly allowed, access to the standard loopback address for IPv4 and IPv6 is permitted by means of the following lines:
# the administrative functions.
restrict ::1
Addresses can be added underneath if specifically required by another application.
Hosts on the local network are not permitted because of the "restrict default" line above. To change this, for example to allow hosts from the network to query the time and statistics but nothing more, a line in the following format is required:
restrict mask nomodify notrap nopeer
To allow unrestricted access from a specific host, for example, a line in the following format is required:
A mask of is applied if none is specified.
The restrict commands are explained in the ntp_acc(5) man page.
The public servers entry
By default, the ntp.conf file contains four public server entries:
server iburst
server iburst
server iburst
server iburst
The broadcast multicast servers entry
By default, the ntp.conf file contains some commented out examples. These are largely self explanatory. See Section 15.17, “Configure NTP” for the explanation of the specific commands. If required, add your commands just below the examples.


When the DHCP client program, dhclient, receives a list of NTP servers from the DHCP server, it adds them to ntp.conf and restarts the service. To disable that feature, add PEERNTP=no to /etc/sysconfig/network.