Time Services and Randomness Beacon
By the end of this lesson you will understand Cloudflare's free time synchronization services and the Randomness Beacon.
Cloudflare Time Services
Cloudflare operates free, public time synchronization services that any device or server can use to keep its clock accurate.
Available Protocols
| Protocol | Endpoint | Port | Encryption |
|---|---|---|---|
| NTP (Network Time Protocol) | time.cloudflare.com | 123/UDP | ❌ None |
| NTS (Network Time Security) | time.cloudflare.com | 4460/TCP | ✅ TLS-encrypted |
| Roughtime | roughtime.cloudflare.com | 2002/UDP | ✅ Signed responses |
NTP (Network Time Protocol)
The most widely used time protocol. Configure your system to use Cloudflare's NTP server:
# /etc/chrony/chrony.conf
server time.cloudflare.com iburst
# Restart chrony
sudo systemctl restart chrony
# Verify
chronyc sources
# /etc/systemd/timesyncd.conf
[Time]
NTP=time.cloudflare.com
FallbackNTP=ntp.ubuntu.com
# Restart
sudo systemctl restart systemd-timesyncd
# Verify
timedatectl timesync-status
NTS (Network Time Security)
NTS is an extension to NTP that adds TLS encryption and authentication, preventing time spoofing attacks.
# /etc/chrony/chrony.conf
server time.cloudflare.com iburst nts
# Restart chrony
sudo systemctl restart chrony
# Verify NTS
chronyc -N authdata
If your system supports NTS (chrony 4.0+), always use NTS over plain NTP. Time spoofing attacks can cause certificate validation failures, DNS cache poisoning, and security protocol breakdowns.
Why Accurate Time Matters
| System | Time Dependency |
|---|---|
| TLS/SSL | Certificate validity depends on accurate time |
| DNS | DNSSEC signature validation requires correct time |
| Logging | Forensic analysis requires accurate timestamps |
| Databases | Distributed databases use timestamps for conflict resolution |
| Authentication | TOTP (2FA codes) require synchronized clocks |
Cloudflare Randomness Beacon
The Randomness Beacon (drand) is a free, publicly verifiable source of randomness. It produces a new random value every 30 seconds, signed and verifiable by anyone.
What It's For
| Use Case | Description |
|---|---|
| Lotteries / drawings | Provably fair random selection |
| Audits | Verifiable random sampling |
| Cryptographic protocols | Entropy source for distributed systems |
| Research | Reproducible randomness with public auditability |
How It Works
Cloudflare participates in the drand network — a distributed randomness beacon operated by multiple independent organizations. No single party can predict or manipulate the output.
curl -s https://drand.cloudflare.com/public/latest | jq
# Output:
# {
# "round": 12345678,
# "randomness": "a1b2c3d4e5f6...",
# "signature": "abcdef123456...",
# "previous_signature": "..."
# }
Verification
Each random value includes a cryptographic signature that anyone can verify, ensuring the value wasn't tampered with:
| Field | Purpose |
|---|---|
round | Sequential round number |
randomness | The random value (SHA-256 of the signature) |
signature | BLS signature proving authenticity |
previous_signature | Links to the previous round (chain of randomness) |
Key Takeaways
- Cloudflare provides free NTP and NTS time services at
time.cloudflare.com. - NTS adds encryption/authentication to NTP — use it if your system supports it (chrony 4.0+).
- Accurate time is critical for TLS, DNSSEC, 2FA, logging, and distributed systems.
- The Randomness Beacon (drand) provides publicly verifiable randomness every 30 seconds.
- Useful for provably fair lotteries, audits, and cryptographic protocols.