How to Disable IPv6 (UDP6) Listening in NTP Daemon on Debian


2 views

After configuring NTP to bind specifically to IPv4 interfaces using:

interface ignore wildcard
interface listen 192.168.1.100  # Example local IP

Many admins are surprised to still see IPv6 listening active:

udp6       0      0 ::1:123                 :::*                                9172/ntpd

The NTP daemon has built-in behavior to maintain localhost (::1) IPv6 binding regardless of configuration. This serves several purposes:

  • Maintains local system clock synchronization
  • Provides fallback communication channel
  • Follows modern networking standards

For systems where IPv6 must be completely disabled:

# Add to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Then apply:
sysctl -p

Alternatively, for NTP-specific control without system-wide changes:

# In /etc/default/ntp
NTPD_OPTS="-4 -p /var/run/ntpd.pid -g -u 121:130"

# Then restart:
service ntp restart

Confirm IPv6 is no longer listening:

ss -ulnp | grep ntp
netstat -tulnp | grep ntp  # For older systems

Expected output should only show IPv4 bindings:

udp   0   0 192.168.1.100:123    0.0.0.0:*     users:(("ntpd",pid=1234,fd=20))
udp   0   0 127.0.0.1:123        0.0.0.0:*     users:(("ntpd",pid=1234,fd=19))

For permanent IPv6 disabling at kernel level:

echo "blacklist ipv6" >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
reboot

After configuring NTP to bind only to specific IPv4 interfaces in /etc/ntp.conf:

interface ignore wildcard
interface listen 192.168.1.100

Many administrators are surprised to find NTP still listening on IPv6:

udp6       0      0 ::1:123                 :::*

The NTP daemon (ntpd) has built-in defaults that prioritize localhost communications. Even with explicit IPv4 binding, these defaults persist:

  1. Localhost time synchronization (127.0.0.1 and ::1)
  2. Automatic clock discipline
  3. Fallback mechanisms

To fully disable IPv6 listening, you need both configuration and kernel-level changes:

# /etc/ntp.conf additions:
disable ipv6
interface ignore wildcard
interface listen 192.168.1.100
interface ignore ::1

Then apply sysctl changes:

# /etc/sysctl.conf additions:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

After implementing these changes:

# Verify NTP bindings:
ss -ulnp | grep ntp

# Check sysctl settings:
sysctl -a | grep disable_ipv6

For temporary testing without config changes:

ntpd -4 -I eth0 -L

Where -4 forces IPv4 only and -L disables local clock access.

  • These changes may affect local system clock synchronization
  • Consider keeping IPv6 localhost binding for container environments
  • Always test changes in non-production environments first