Network time synchronization method, system, storage medium and electronic equipment bypassing UDP port blocking
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- LINKPLAY TECHNOLOGY INC NANJING
- Filing Date
- 2026-05-22
- Publication Date
- 2026-07-03
AI Technical Summary
In existing technologies, the primary UDP port of Network Time Protocol (NTP) is blocked by the network, causing the device's time synchronization to fail. There is a lack of an effective backup time synchronization mechanism, which affects the reliability of time synchronization and service availability of the device in complex network environments.
When the primary UDP channel is detected to be unreachable, a Domain Name System (DNS) query message containing time parameters is generated. An encrypted backup channel is established using transport layer security protocols to transmit the time synchronization request. The time parameters are extracted from the DNS response message to calculate the clock offset and correct the system clock.
It enables the recovery of time synchronization in network environments with blocked UDP ports, improving the success rate of time synchronization and the security of data transmission, and ensuring the normal operation of the device in complex network environments.
Smart Images

Figure CN122339829A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network time synchronization technology, and in particular to a network time synchronization method, system, storage medium, and electronic device for bypassing UDP port blocking. Background Technology
[0002] Network Time Protocol (NTP) is the most widely used time synchronization protocol on the Internet. It exchanges timestamp messages between clients and time servers via port 123 of the User Datagram Protocol (UDP), achieving millisecond-level clock synchronization accuracy. The reliance of various network access devices on accurate system clocks is extremely critical. On one hand, when devices access cloud service platforms, token validity verification in the OAuth authentication process and certificate validity verification in Transport Layer Security (TLS) communication both require the device's local clock to be within a certain deviation range from the standard time. Once the clock deviation exceeds the validity window of the token or certificate, authentication and encrypted connections will fail directly, and the device will be unable to use online services normally. On the other hand, multi-device collaborative synchronization functions require the clock deviation between devices to be controlled within milliseconds; otherwise, synchronization accuracy will deteriorate, severely impacting user experience.
[0003] However, the standard NTP protocol was designed in the early days of the Internet and uses plaintext UDP transmission. Its dedicated UDP port 123 is widely targeted for blocking by organizations and operators in modern network security strategies. Enterprise network firewalls typically only open common web service ports for Transmission Control Protocol (TCP), and UDP port 123 is often included in the default outbound blocking rules. Some home routers also blacklist this port to prevent network scanning and reflection amplification attacks. University networks and public wireless hotspots generally restrict outbound access to the UDP protocol for security management purposes.
[0004] When the network where the device resides blocks UDP port 123, standard NTP synchronization completely fails. The device will use the initial time at startup for an extended period, which is typically the firmware compilation time or the hardware clock time saved from the last shutdown. However, the hardware clock will drift significantly after power failure or prolonged operation. As the system clock error accumulates, it will gradually trigger a chain of availability problems, such as streaming media authentication failure, secure connection establishment failure, and degradation of multi-device collaborative synchronization functions. However, existing devices generally lack effective backup time synchronization mechanisms, and there are no alternative solutions available when facing UDP port blocking. Therefore, there is an urgent need for a new technical solution that can utilize other widely open ports in the network as backup time synchronization channels in network environments where UDP port 123 is blocked, to ensure the reliability of time synchronization and service availability of the device in various complex network environments. Summary of the Invention
[0005] The purpose of this invention is to solve the problem of device time synchronization failure caused by network blocking of the primary UDP port of the standard Network Time Protocol (NTP) in the prior art. It provides a network time synchronization method, system, storage medium, and electronic device that bypasses UDP port blocking. When the primary UDP channel is detected to be unreachable, it automatically switches to an encrypted backup channel, encapsulates the time synchronization request into a Domain Name System (DNS) query message, and sends it through the backup channel. Server-side time parameters are extracted from the returned response, and the clock offset is calculated and corrected by combining it with the client's local time parameters. This method restores time synchronization capability in a network environment with blocked UDP ports, while ensuring the security of time data through encrypted transmission.
[0006] On one hand, the present invention provides a network time synchronization method for bypassing UDP port blocking, comprising the following steps: The system sends a time synchronization request to the Network Time Protocol (NTP) server through the User Datagram Protocol (UDP) port to detect the reachability of the NTP primary channel. When it is determined that the primary channel of the network time protocol is unreachable, a query domain name containing the first time parameter is generated to form a domain name system query message encapsulating a time synchronization request; An encrypted connection is established with the target server based on the transport layer security protocol to construct a backup channel for secure transmission of the Domain Name System (DNS), and the DNS query message is sent to the target server through the backup channel. Receive the Domain Name System (DNS) response message returned by the target server, and extract the second time parameter added by the target server from the response message; The clock offset between the client and the target server is calculated based on the first time parameter and the second time parameter, and the local system clock is adjusted according to the clock offset.
[0007] Furthermore, probing the reachability of the Network Time Protocol (NTP) primary channel includes: Send probe packets in parallel to multiple preset network time protocol servers and set a uniform timeout period; If no valid response is received from any of the Network Time Protocol (NTP) servers within the timeout period, the NTP primary channel is determined to be unreachable.
[0008] When it is determined that the primary network time protocol channel is unreachable, the method further includes: The identification information of the current network environment is associated with and stored in relation to the blocking status; After a preset time period, based on the stored state, the primary network time protocol channel is re-probeed in the background to update the blocking state.
[0009] Furthermore, the Domain Name System (DNS) query message encapsulating a time synchronization request includes: The first timestamp, representing the client's current local time, is combined with a randomly generated value to construct a domain name in a specific format; Initiate a Domain Name System (DNS) query of type text record, and use the domain name as the query content to generate the DNS query message.
[0010] Furthermore, calculating the clock offset between the client and the target server includes: Record the client's sending timestamp when the Domain Name System query message is sent, and the client's receiving timestamp when the Domain Name System response message is received; Extract the server-side receiving timestamp and server-side sending timestamp recorded by the target server from the text record of the response message; Based on the client's sending timestamp, the client's receiving timestamp, the server's receiving timestamp, and the server's sending timestamp, calculate the round-trip delay between the client and the target server and the clock offset.
[0011] Preferably, the method further includes: The generation and transmission of the Domain Name System query message are performed multiple times to obtain multiple estimated values of the clock offset; The multiple estimated values are sorted and the median is taken as the final clock offset, which is used to adjust the local system clock.
[0012] Further, adjusting the local system clock based on the clock offset includes: The absolute value of the calculated clock offset is compared with a preset first threshold and a second threshold, wherein the second threshold is less than the first threshold; When the absolute value is greater than the first threshold, the system clock is adjusted by direct setting. When the absolute value is between the second threshold and the first threshold, the system clock is gradually corrected using a smooth adjustment method; When the absolute value is less than or equal to the second threshold, fine-tuning is performed by adjusting the clock frequency.
[0013] Furthermore, establishing an encrypted connection with the target server based on transport layer security protocols includes: When establishing a connection for the first time, a first-time trust usage strategy is adopted to receive and cache the fingerprint information of the digital certificate provided by the target server; When establishing a connection later, if the certificate fingerprint provided by the server matches the cached fingerprint information, the certificate validity period verification will be skipped and an encrypted connection will be established directly.
[0014] Preferably, after establishing the encrypted connection and completing a time synchronization query, the session ticket of the encrypted connection is cached; When a time synchronization query is required in the future, the session ticket is reused to rebuild the encrypted connection, thereby shortening the connection establishment time.
[0015] More preferably, the establishment of the encrypted connection further includes: Attempt to establish the encrypted connection with the target server through multiple preset ports; If the connection fails through the default Domain Name System (DNS) secure port, it will automatically switch to the Hypertext Transfer Protocol (HTTP) port to attempt a connection.
[0016] Furthermore, after extracting the second time parameter added by the target server from the response message, the method further includes: The extracted timestamp sent by the time server, the timestamp received by the time server, and the calculated round-trip delay are subjected to a validity verification, wherein the validity verification includes: Verify whether the timestamp is within a preset reasonable time range, verify whether the round-trip delay is within a preset reasonable delay interval, and verify whether the difference between the server-sent timestamp and the server-received timestamp is within a preset range. Only after all verifications have passed will the clock offset be calculated based on the second time parameter.
[0017] Furthermore, the method also includes: Monitor and record relevant information for each time synchronization event, including the type of time source channel used, the calculated clock offset, and the identifier of the current network; The recorded information is reported to the cloud management platform so that the cloud management platform can optimize the time synchronization strategy and distribute it to the client based on the time synchronization status under different network environments.
[0018] On the other hand, the present invention also provides a network time synchronization system for bypassing UDP port blocking, comprising: The primary channel detection module is used to send a time synchronization request to the Network Time Protocol (NTP) server through the User Datagram Protocol (UDP) port in order to detect the reachability of the NTP primary channel. The time query encapsulation module is used to generate a query domain name containing a first time parameter when it is determined that the primary channel of the network time protocol is unreachable, so as to form a domain name system query message encapsulating a time synchronization request; The backup channel establishment module is used to establish an encrypted connection with the target server based on the transport layer security protocol to build a backup channel for secure transmission of the Domain Name System (DNS), and to send the DNS query message to the target server through the backup channel; The time parameter extraction module is used to receive the Domain Name System response message returned by the target server and extract the second time parameter added by the target server from the response message; The clock offset correction module is used to calculate the clock offset between the client and the target server based on the first time parameter and the second time parameter, and adjust the local system clock according to the clock offset.
[0019] In addition, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the network time synchronization method for bypassing UDP port blocking as described above.
[0020] Meanwhile, an electronic device is provided, comprising: one or more processors; and a storage device for storing one or more programs, which, when executed by the one or more processors, cause the one or more processors to implement the network time synchronization method for bypassing UDP port blocking as described above.
[0021] Compared with the prior art, the beneficial effects of the present invention are: (1) This invention detects the reachability of the primary channel of the Network Time Protocol and automatically triggers the backup channel process when the primary channel is determined to be unreachable, thereby realizing automatic detection and seamless switching of UDP port blocking status. The whole process does not require user intervention. (2) By generating a query domain name containing a first time parameter, the present invention encapsulates the time synchronization request into a domain name system query message, so that the time synchronization data can be transmitted using the widely open DNS-related ports in the network, effectively bypassing the blocking restrictions of UDP ports. (3) By establishing an encrypted connection with the target server based on the transport layer security protocol, the present invention forms a backup channel to carry time synchronization queries, which ensures the confidentiality and integrity of time synchronization data during transmission and reduces the security risk of plaintext transmission being tampered with. (4) This invention extracts the second time parameter added by the target server from the domain name system response message, calculates the clock offset and corrects the local system clock by combining the first time parameter of the client, restores the device's time synchronization capability in the harsh network environment of UDP port blocking, and significantly improves the success rate of time synchronization in complex network environments. Attached Figure Description
[0022] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1 This is a flowchart of a network time synchronization method for bypassing UDP port blocking according to the present invention; Figure 2 This is a block diagram of a network time synchronization system for bypassing UDP port blocking according to the present invention. Figure 3 This is a schematic diagram of an embodiment of an electronic device according to the present invention. Detailed Implementation
[0023] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0024] The specific embodiments of the present invention will be described below with reference to the accompanying drawings and examples.
[0025] Example 1
[0026] Please see Figure 1 The network time synchronization technical solution for bypassing UDP port blocking provided in this embodiment includes the following steps: S1: Send a time synchronization request to the Network Time Protocol (NTP) server through the User Datagram Protocol (UDP) port to detect the reachability of the NTP primary channel; S2: When it is determined that the primary channel of the network time protocol is unreachable, a query domain name containing the first time parameter is generated to form a domain name system query message encapsulating a time synchronization request; S3: Establish an encrypted connection with the target server based on the transport layer security protocol to build a backup channel for secure transmission of the Domain Name System (DNS), and send the DNS query message to the target server through the backup channel; S4: Receive the Domain Name System (DNS) response message returned by the target server, and extract the second time parameter added by the target server from the response message; S5: Calculate the clock offset between the client and the target server based on the first time parameter and the second time parameter, and adjust the local system clock according to the clock offset.
[0027] First, perform Network Time Protocol (NTP) reachability detection in step S1, i.e., standard NTP reachability assessment. Detecting the reachability of the primary NTP channel includes: S11: Send probe packets in parallel to multiple preset network time protocol servers and set a uniform timeout period; S12: If no valid response is received from any of the Network Time Protocol (NTP) servers within the timeout period, the NTP primary channel is determined to be unreachable.
[0028] Specifically, after the device completes network connection, it first sends NTP v4 request packets (48 bytes, Mode=3, Client mode) in parallel to four public time servers via the standard NTP protocol (UDP port 123), and sets the UDP receive timeout T_ntp_timeout (default 3 seconds). The built-in list of public NTP server addresses includes: pool.ntp.org (NTPPool Project), time.cloudflare.com (Cloudflare NTP), time.google.com (Google Public NTP), and ntp.aliyun.com. If any server returns a valid NTP response packet (Mode=4, Server mode, Stratum>0) within T_ntp_timeout, the standard NTP channel is considered reachable; if all four servers time out without response, UDP port 123 is considered blocked, triggering the DoT backup channel process.
[0029] In the reachability detection process, a parallel probe strategy is employed, simultaneously sending UDP probe packets to four NTP server addresses and waiting for responses in parallel. A response from any one server is used as the criterion for success, while all four timeouts are used as the criterion for failure. Parallel probes reduce the maximum waiting time for blocking detection from 12 seconds in a serial process to a single timeout of T_ntp_timeout (3 seconds), significantly improving the user experience during device startup.
[0030] For example, after a device establishes a Wi-Fi connection within an enterprise's intranet (where the firewall blocks all UDP outbound traffic), it simultaneously sends UDP / 123 NTP v4 request packets to four NTP servers, initiating a 3-second parallel timeout timer. After 3 seconds, all four servers time out without responding (total probe time 3 seconds, significantly shorter than the 12 seconds of serial probes), indicating that UDP port 123 is blocked. In this case, the public NTP (Network Time Protocol) server address: time.google.com (216.239.35.0) returns an NTP response (Mode=4, Stratum=1) within 243ms, immediately determining NTP reachability, canceling the other three probes, and directly using the response to complete time synchronization. The total detection time is only 243ms, a significant improvement compared to the 12 seconds of serial probes. In a blocked network, the 3-second timer expires, all four probes fail to respond, and a blockage is determined, with a total waiting time of only 3 seconds.
[0031] Based on this, when it is determined that the primary network time protocol channel is unreachable, the method further includes: S13: Associate and store the identification information of the current network environment with the blocking status; S14: After a preset time period, based on the stored state, perform background re-probing of the primary network time protocol channel to update the blocking state.
[0032] Specifically, this method maintains a Block Status Cache, storing the UDP block status (BLOCKED / REACHABLE) and the last detection timestamp using the current network's BSSID (Wi-Fi access point MAC address) as the key. This ensures that changes in block status can be correctly identified when switching between different network environments. For networks determined to be BLOCKED, the system performs a background re-probe every 30 minutes. If the re-probe finds that UDP port 123 has become reachable again, the cache is updated and the system switches back to the standard NTP channel.
[0033] Next, step S2, DNS-over-TLS (DoT) time query encapsulation, can be performed. The DNS query message encapsulating the time synchronization request includes: S21: Combine the first timestamp representing the client's current local time with a randomly generated value to construct a domain name in a specific format; S22: Initiate a Domain Name System (DNS) query of type text record, and use the domain name as the query content to generate the DNS query message.
[0034] Specifically, a lightweight time query protocol (NTP-over-DoT protocol) based on DNS TXT query records is designed, utilizing the DNS TXT record type (RFC 1464) as the transmission carrier for NTP timestamps. Query format: The client sends a time query request to a specific domain name via a DNS TXT query (Query Type=TXT, Class=IN). The query domain name format is: [T_client_hex].[nonce_hex].time.wiimaudio.com, where T_client_hex is the client's local timestamp (a hexadecimal representation of a 64-bit Unix nanosecond timestamp), and nonce_hex is a 32-bit random number (to prevent DNS caching interference). Response format: Upon receiving a TXT query, a DNS server supporting the NTP-over-DoT protocol returns a JSON-formatted time response containing T_server_recv (server receive timestamp), T_server_send (server send timestamp), stratum, and precision in the RDATA field of the TXT record.
[0035] Then, step S3, establishing a secure channel, is performed. This includes establishing an encrypted connection with the target server based on transport layer security protocols. S31: When establishing a connection for the first time, a first-time trust usage strategy is adopted to receive and cache the fingerprint information of the digital certificate provided by the target server; S32: When establishing a connection later, if the certificate fingerprint provided by the server matches the cached fingerprint information, the certificate validity period verification is skipped and an encrypted connection is established directly.
[0036] Secondly, after establishing the encrypted connection and completing a time synchronization query, the session ticket of the encrypted connection is cached; When a time synchronization query is required in the future, the session ticket is reused to rebuild the encrypted connection, thereby shortening the connection establishment time.
[0037] In addition, the establishment of the encrypted connection also includes: Attempt to establish the encrypted connection with the target server through multiple preset ports; If the connection fails through the default Domain Name System (DNS) secure port, it will automatically switch to the Hypertext Transfer Protocol (HTTP) port to attempt a connection.
[0038] Specifically, a TLS-encrypted TCP connection (TCP port 853) is established with the DoT server. The system selects the target server from the built-in DoT server list, bypasses DNS resolution by using a direct IP address connection (to avoid the problem of DNS resolution failure due to inaccurate clocks), and initiates a TLS 1.3 handshake after completing the TCP three-way handshake.
[0039] During the TLS handshake, the verification of the server certificate adopts the TOFU (Trust On First Use) strategy: during the first connection, only the certificate subject domain name (CN) is verified to be consistent with the DoT server domain name, and the SHA-256 fingerprint of the server certificate is accepted and cached; during subsequent connections, the server certificate fingerprint is compared with the cached fingerprint. If they are consistent, the time-related certificate validity period verification (NotBefore / NotAfter fields) is skipped, and only the certificate fingerprint (Certificate Pinning) is verified, which fundamentally solves the deadlock problem caused by inaccurate system clocks leading to TLS handshake failure.
[0040] Secondly, TLS 1.3 provides a session resumption mechanism, allowing clients to reuse previous TLS session keys in subsequent connections, omitting the complete TLS key exchange handshake process and reducing connection establishment time from approximately 80-150ms to approximately 15-30ms. By utilizing TLS 1.3's PSK (Pre-Shared Key) mode to store session tickets, the same TLS session can be reused across five time queries, significantly reducing the cumulative latency of the overall time query.
[0041] Furthermore, a failover mechanism is implemented for the three built-in DoT servers: if a TCP 853 connection to the first DoT server fails within T_dot_timeout (default 5 seconds), it automatically switches to the next DoT server to attempt the connection. For a certain intelligent audio private DoT server (dot.wiimaudio.com), the system also attempts to connect via TCP port 443 (HTTPS port, identified by the dot protocol through ALPN negotiation), further circumventing scenarios where port 853 is blocked, thus enabling time synchronization even in extremely restricted networks where only TCP ports 80 / 443 are open.
[0042] In this embodiment, the device system clock is reset to 2000-01-01 00:00:00 due to RTC power failure. TSCEM initiates a TCP 853 connection to dot.wiimaudio.com (built-in IP address 101.XX.XX.XX), and the TCP three-way handshake is successful (approximately 45ms). The TLS 1.3 handshake begins, and the server certificate is received (CN=dot.wiimaudio.com, NotBefore=2025-01-01, NotAfter=2026-12-31). If standard TLS verification is used, the system clock 2000-01-01 is earlier than NotBefore=2025-01-01, which will cause certificate verification to fail (ERR_CERT_DATE_INVALID). The TOFU strategy is adopted: the initial connection ignores time-related verification, accepts the certificate and records its SHA-256 fingerprint, and the TLS handshake is successfully established (total handshake time approximately 87ms).
[0043] Alternatively, in an extremely restricted network environment (only TCP ports 80 / 443 are open), the connection to 1.1.1.1:853 is first attempted, but fails after a 5-second timeout; then, 8.8.8.8:853 is attempted, but fails after a 5-second timeout; finally, dot.wiimaudio.com:443 (TCP port 443 fallback) is attempted. The server also accepts the DoT protocol on port 443 (identifying the dot protocol through ALPN negotiation). The TCP connection is successfully established within 312ms, the TLS 1.3 handshake is completed within 91ms, and the total connection time is 403ms. The DoT channel is successfully established through port 443 to complete time synchronization.
[0044] Next, step S4, the extraction of the second time parameter, is performed. After extracting the second time parameter added by the target server from the response message, the process further includes: S41: Perform a validity verification on the extracted timestamp sent by the time server, the timestamp received by the time server, and the calculated round-trip delay, wherein the validity verification includes: Verify whether the timestamp is within a preset reasonable time range, verify whether the round-trip delay is within a preset reasonable delay interval, and verify whether the difference between the server-sent timestamp and the server-received timestamp is within a preset range. S42: Only after all verifications have passed will the clock offset be calculated based on the second time parameter.
[0045] Specifically, time synchronization data is extracted from the RDATA field of the DNS TXT record returned by the DoT server, and the following four validity checks are performed: (1) Timestamp range verification (T_server_send must be greater than the preset earliest valid timestamp T_earliest=2020-01-01 and within a reasonable range); (2) Round-trip delay reasonableness verification ( (3) Verification of the reasonableness of server response latency ( (4) Stratum value verification (must be between 1 and 15). Only after all four verifications are passed will the timestamp data be accepted for clock calibration.
[0046] Before sending a DNS TXT query, record the local sending timestamp T_client_send (CLOCK_MONOTONIC, nanosecond precision). After receiving the DNS response, record T_client_recv. Combine the T_server_recv and T_server_send returned by the server to calculate the clock offset in step S5. Calculating the clock offset between the client and the target server includes: S51: Record the client sending timestamp when the Domain Name System query message is sent, and the client receiving timestamp when the Domain Name System response message is received; S52: Extract the server-side receiving timestamp and server-side sending timestamp recorded by the target server from the text record of the response message; S53: Based on the client sending timestamp, client receiving timestamp, server receiving timestamp, and server sending timestamp, calculate the round-trip time (RTT) between the client and the target server and the clock offset.
[0047] Specifically, the round-trip delay is estimated using the standard NTP clock skew calculation formula. and clock offset , is represented as: , , in, This represents the local sending timestamp recorded when the client sends a Domain Name System query message, obtained based on a monotonic clock. This represents the local timestamp recorded when the client receives the Domain Name System (DNS) response message, obtained based on a monotonic clock. This indicates the server-side receiving timestamp recorded when the target server receives the Domain Name System query message, which is extracted from the text record field of the response message; This represents the server-side sending timestamp recorded when the target server sends the Domain Name System (DNS) response message, extracted from the text record field of the response message.
[0048] Among them, when the clock offset When the value is positive, the client clock lags behind the server clock and needs to be corrected forward; when the clock offsets... When the value is negative, the client clock is ahead of the server clock and needs to be corrected backward.
[0049] In addition, the above method also includes: The generation and transmission of the Domain Name System query message are performed multiple times to obtain multiple estimated values of the clock offset; The multiple estimated values are sorted and the median is taken as the final clock offset, which is used to adjust the local system clock.
[0050] Samples with shorter round-trip delays indicate smaller network path queuing jitter, closer symmetry between uplink and downlink delays, and correspondingly smaller clock skew estimation errors. The current embodiment... The second sampling only sorts and takes the median, failing to utilize the quality information of each sample itself. Therefore, in a usable embodiment, an inverse RTT ratio is chosen as the sample weight, combined with an outlier removal mechanism, to construct an inversely weighted pruned mean estimator, which significantly improves estimation accuracy without increasing the number of additional queries. Specifically, this includes: First, calculate the round-trip delay for each DNS query on a sample basis. and the original clock offset estimate , is represented as: , , in, , Indicates the first The client sends a timestamp during each query. Indicates the first The server receives the timestamp during each query. Indicates the first The server sends a timestamp during each query. Indicates the first The client receives a timestamp during each query. Then take the minimum round-trip delay from all samples. , with pruning factor Set a rejection threshold and construct a valid sample set. : ; For valid sets Calculate the weight for each sample in the dataset. , is represented as: , , The weighted average value is calculated using this weight as a coefficient and is used as the final clock offset estimate. : .
[0051] For example, total number of samples pruning factor The measurement data for each sample are as follows: The minimum round-trip time can be obtained from the above algorithm formula. And determine the rejection threshold. Sample 3 It was removed. Valid set. The weights of each valid sample are calculated as follows: , , , The final weighted estimate is calculated as follows: Compared to simply taking the median, if the congested samples ( If sample 3 is placed in the median position, the median will shift to 43.5 ms, resulting in an error of approximately 1.6 ms; however, this algorithm assigns extremely low weight to sample 3. The output value remained stable at +41.9 ms, closely approximating the actual offset. This demonstrates that the above algorithm significantly improves accuracy, sample utilization, and scenario specificity.
[0052] Based on this, adjusting the local system clock according to the clock offset includes: The absolute value of the clock offset is compared with a preset first threshold and a second threshold, wherein the second threshold is less than the first threshold; When the absolute value is greater than the first threshold, the system clock is adjusted by direct setting. When the absolute value is between the second threshold and the first threshold, the system clock is gradually corrected using a smooth adjustment method; When the absolute value is less than or equal to the second threshold, fine-tuning is performed by adjusting the clock frequency.
[0053] In this embodiment, after completing the clock offset After calculation, according to Different clock update strategies are chosen based on the size: large offset scenarios ( Calling `settimeofday()` directly sets the system clock (Step mode, allows abrupt changes, but smooth adjustments are not very meaningful as the system clock is severely inaccurate); Mid-offset scenarios ( Call adjtime() to smoothly adjust at a rate of up to 500ms per second (Slew mode); small offset scenarios ( Calling adjtimex() fine-tunes the clock frequency using frequency adjustment, completely transparent to the application.
[0054] When scheduling using the above method, the optimal time source is dynamically selected based on the accuracy, reliability, and current network environment status of each source. The system defines the following time source priorities (from high to low): The system detects the availability of each time source in descending order of priority every 30 minutes and automatically switches to the highest priority time source available to ensure that the system clock is always maintained with optimal accuracy.
[0055] In addition, the present invention also includes: Monitor and record relevant information for each time synchronization event, including the type of time source channel used, the calculated clock offset, and the identifier of the current network; The recorded information is reported to the cloud management platform so that the cloud management platform can optimize the time synchronization strategy and distribute it to the client based on the time synchronization status under different network environments.
[0056] Specifically, each time synchronization event is written to the device health monitoring log, and the reported content includes: time source type (NTP / DoT / HTTPS / RTC) and time offset. Round-trip delay Synchronization accuracy level and network environment identifier (BSSID). The cloud-based health monitoring platform aggregates time synchronization logs from relevant devices, identifies the frequency of UDP blocking in specific regions or operator networks, and provides data support for optimizing the built-in DoT server list and adjusting time source priority strategies.
[0057] When the network becomes completely unreachable (all P1-P3 fail), the system switches to P4 (device RTC) to maintain the connection for an extended period. To mitigate RTC drift, after each successful P1 / P2 / P3 time synchronization, the system writes the calibrated accurate time to the RTC hardware (via the / dev / rtc device node) and reads the SoC temperature at the time of synchronization (via the SoC temperature sensor). The system then uses the RTC chip's temperature compensation parameters (TCP) to correct the frequency deviation of the RTC at different temperatures, reducing the RTC's network-free drift rate from the default ±5 seconds / day to approximately ±1 second / day. This ensures that the accuracy requirements for HTTPS certificate validity verification and multi-room audio synchronization are still met within 72 hours after a network outage.
[0058] In summary, the method of this invention rapidly detects the reachability of the primary channel of the standard network time protocol through a parallel probing mechanism. Upon determining that the primary UDP port is blocked, it automatically selects the optimal available backup channel according to a preset time source priority order. The time synchronization request is encapsulated into a Domain Name System (DNS) query message of a specific format and transmitted through an encrypted backup channel based on a transport layer security protocol. Server-side time parameters are extracted from the returned response message, and the clock offset is calculated by combining it with the timestamp recorded locally on the client. After validity verification and accuracy compensation, the local system clock is corrected. This method effectively restores the device's time synchronization capability in a network environment with blocked UDP ports. Simultaneously, it ensures the security of time synchronization data through encrypted transmission, achieves seamless switching between the primary and backup channels, and improves the success rate and reliability of time synchronization in complex network environments.
[0059] Based on the above methods, this invention provides a network time synchronization system that bypasses UDP port blocking, such as... Figure 2 As shown, it includes: The primary channel detection module 10 is used to send a time synchronization request to the Network Time Protocol server through the User Datagram Protocol port in order to detect the reachability of the Network Time Protocol primary channel; The time query encapsulation module 20 is used to generate a query domain name containing a first time parameter when it is determined that the primary channel of the network time protocol is unreachable, so as to form a domain name system query message encapsulating a time synchronization request; The backup channel establishment module 30 is used to establish an encrypted connection with the target server based on the transport layer security protocol to build a backup channel for secure transmission of the Domain Name System (DNS), and to send the DNS query message to the target server through the backup channel; The time parameter extraction module 40 is used to receive the Domain Name System response message returned by the target server and extract the second time parameter added by the target server from the response message; The clock offset correction module 50 is used to calculate the clock offset between the client and the target server based on the first time parameter and the second time parameter, and adjust the local system clock according to the clock offset.
[0060] It should be noted that the steps in the network time synchronization method for bypassing UDP port blocking provided in this embodiment can be implemented based on the corresponding modules in the network time synchronization system for bypassing UDP port blocking. Those skilled in the art can refer to the technical solution of the system to implement the steps of the method. That is, the embodiments in the system can be understood as preferred examples of implementing the method, and will not be elaborated here.
[0061] This embodiment also provides an electronic device, such as... Figure 3 As shown, the electronic device includes a processor 14 and a memory 13. The memory 13 stores machine-executable instructions that can be executed by the processor 14. The processor 14 executes the machine-executable instructions to implement the network time synchronization method described above for bypassing UDP port blocking.
[0062] Furthermore, Figure 3 The electronic device shown also includes a bus 12 and a communication interface 11, with the processor 14, the communication interface 11 and the memory 13 connected via the bus 12.
[0063] The memory 13 may include high-speed random access memory (RAM) and may also include non-volatile memory, such as at least one disk storage device. Communication between this system network element and at least one other network element is achieved through at least one communication interface 11 (which can be wired or wireless), such as the Internet, wide area network, local area network, metropolitan area network, etc. The bus 12 may be an ISA bus, PCI bus, or EISA bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 3 The symbol is represented by a single double-headed arrow, but this does not mean that there is only one bus or one type of bus.
[0064] Processor 14 may be an integrated circuit chip with signal processing capabilities. In implementation, each step of the above method can be completed by the integrated logic circuitry in the hardware of processor 14 or by instructions in software form. Processor 14 can be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), etc.; it can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in this embodiment. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this embodiment can be directly manifested as execution by a hardware decoding processor, or execution by a combination of hardware and software modules in the decoding processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. The storage medium is located in memory 13. The processor 14 reads the information in memory 13 and, in conjunction with its hardware, completes the steps of the network time synchronization method that bypasses UDP port blocking.
[0065] This disclosure also provides a computer-readable storage medium, which can be a non-volatile computer-readable storage medium or a volatile computer-readable storage medium, storing a computer program that, when run on a computer, causes the computer to perform the steps of a network time synchronization method that bypasses UDP port blocking.
[0066] Finally, it should be noted that the above description is only a preferred embodiment of the present invention, and the scope of protection of the present invention is not limited to the above embodiments. All technical solutions falling within the scope of the present invention's concept are within the scope of protection of the present invention. It should be pointed out that for those skilled in the art, any improvements and modifications made without departing from the principle of the present invention should also be considered within the scope of protection of the present invention.
[0067] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
Claims
1. A network time synchronization method for bypassing UDP port blocking, characterized in that, Includes the following steps: The system sends a time synchronization request to the Network Time Protocol (NTP) server through the User Datagram Protocol (UDP) port to detect the reachability of the NTP primary channel. When it is determined that the primary channel of the network time protocol is unreachable, a query domain name containing the first time parameter is generated to form a domain name system query message encapsulating a time synchronization request; An encrypted connection is established with the target server based on the transport layer security protocol to construct a backup channel for secure transmission of the Domain Name System (DNS), and the DNS query message is sent to the target server through the backup channel. Receive the Domain Name System (DNS) response message returned by the target server, and extract the second time parameter added by the target server from the response message; The clock offset between the client and the target server is calculated based on the first time parameter and the second time parameter, and the local system clock is adjusted according to the clock offset.
2. The network time synchronization method for bypassing UDP port blocking according to claim 1, characterized in that, Detecting the reachability of the Network Time Protocol (NTP) primary channel includes: Send probe packets in parallel to multiple preset network time protocol servers and set a uniform timeout period; If no valid response is received from any of the Network Time Protocol (NTP) servers within the timeout period, the NTP primary channel is determined to be unreachable.
3. The network time synchronization method for bypassing UDP port blocking according to claim 2, characterized in that, When it is determined that the primary network time protocol channel is unreachable, the method further includes: The identification information of the current network environment is associated with and stored in relation to the blocking status; After a preset time period, based on the stored state, the primary network time protocol channel is re-probeed in the background to update the blocking state.
4. The network time synchronization method for bypassing UDP port blocking according to claim 1, characterized in that, A Domain Name System (DNS) query message encapsulating a time synchronization request includes: The first timestamp, representing the client's current local time, is combined with a randomly generated value to construct a domain name in a specific format; Initiate a Domain Name System (DNS) query of type text record, and use the domain name as the query content to generate the DNS query message.
5. The network time synchronization method for bypassing UDP port blocking according to claim 4, characterized in that, Calculating the clock offset between the client and the target server includes: Record the client's sending timestamp when the Domain Name System query message is sent, and the client's receiving timestamp when the Domain Name System response message is received; Extract the server-side receiving timestamp and server-side sending timestamp recorded by the target server from the text record of the response message; Based on the client's sending timestamp, the client's receiving timestamp, the server's receiving timestamp, and the server's sending timestamp, calculate the round-trip delay and the clock offset between the client and the target server.
6. The network time synchronization method for bypassing UDP port blocking according to claim 5, characterized in that, The method further includes: The generation and transmission of the Domain Name System query message are performed multiple times to obtain multiple estimated values of the clock offset; The multiple estimated values are sorted and the median is taken as the final clock offset, which is used to adjust the local system clock.
7. The network time synchronization method for bypassing UDP port blocking according to claim 5, characterized in that, Adjusting the local system clock based on the clock offset includes: The absolute value of the calculated clock offset is compared with a preset first threshold and a second threshold, wherein the second threshold is less than the first threshold; When the absolute value is greater than the first threshold, the system clock is adjusted by direct setting. When the absolute value is between the second threshold and the first threshold, the system clock is gradually corrected using a smooth adjustment method; When the absolute value is less than or equal to the second threshold, fine-tuning is performed by adjusting the clock frequency.
8. The network time synchronization method for bypassing UDP port blocking according to claim 1, characterized in that, Establishing an encrypted connection with the target server based on transport layer security protocols includes: When establishing a connection for the first time, a first-time trust usage strategy is adopted to receive and cache the fingerprint information of the digital certificate provided by the target server; When establishing a connection later, if the certificate fingerprint provided by the server matches the cached fingerprint information, the certificate validity period verification will be skipped and an encrypted connection will be established directly.
9. The network time synchronization method for bypassing UDP port blocking according to claim 8, characterized in that, After establishing the encrypted connection and completing a time synchronization query, cache the session ticket for the encrypted connection. When a time synchronization query is required in the future, the session ticket is reused to rebuild the encrypted connection, thereby shortening the connection establishment time.
10. The network time synchronization method for bypassing UDP port blocking according to claim 8, characterized in that, The establishment of the encrypted connection also includes: Attempt to establish the encrypted connection with the target server through multiple preset ports; If the connection fails through the default Domain Name System (DNS) secure port, it will automatically switch to the Hypertext Transfer Protocol (HTTP) port to attempt a connection.
11. The network time synchronization method for bypassing UDP port blocking according to claim 5, characterized in that, After extracting the second time parameter added by the target server from the response message, the process further includes: The extracted timestamp sent by the time server, the timestamp received by the time server, and the calculated round-trip delay are subjected to a validity verification, wherein the validity verification includes: Verify whether the timestamp is within a preset reasonable time range, verify whether the round-trip delay is within a preset reasonable delay interval, and verify whether the difference between the server-sent timestamp and the server-received timestamp is within a preset range. Only after all verifications have passed will the clock offset be calculated based on the second time parameter.
12. The network time synchronization method for bypassing UDP port blocking according to claim 1, characterized in that, The method further includes: Monitor and record relevant information for each time synchronization event, including the type of time source channel used, the calculated clock offset, and the identifier of the current network; The recorded information is reported to the cloud management platform so that the cloud management platform can optimize the time synchronization strategy and distribute it to the client based on the time synchronization status under different network environments.
13. A network time synchronization system for bypassing UDP port blocking, characterized in that, include: The primary channel detection module is used to send a time synchronization request to the Network Time Protocol (NTP) server through the User Datagram Protocol (UDP) port in order to detect the reachability of the NTP primary channel. The time query encapsulation module is used to generate a query domain name containing a first time parameter when it is determined that the primary channel of the network time protocol is unreachable, so as to form a domain name system query message encapsulating a time synchronization request; The backup channel establishment module is used to establish an encrypted connection with the target server based on the transport layer security protocol to build a backup channel for secure transmission of the Domain Name System (DNS), and to send the DNS query message to the target server through the backup channel; The time parameter extraction module is used to receive the Domain Name System response message returned by the target server and extract the second time parameter added by the target server from the response message; The clock offset correction module is used to calculate the clock offset between the client and the target server based on the first time parameter and the second time parameter, and adjust the local system clock according to the clock offset.
14. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the network time synchronization method for bypassing UDP port blocking as described in any one of claims 1-12.
15. An electronic device, characterized in that, include: One or more processors; A storage device for storing one or more programs, which, when executed by one or more processors, cause the one or more processors to implement the network time synchronization method for bypassing UDP port blocking as described in any one of claims 1-12.