Scott Pettit
What are other’s doing at a network level, if anything?
If you've the ability to match on length, ntp timesync requests & replies are 76 bytes in length (minus layer-2 framing).
You can allow that & drop anything else from/to UDP/123 for targets under attack or ntpds being abused.
Transparently redirecting DNS or ntp is hostile & unethical, if not actionable. Setting up policies so that customers must by default use your recursive DNS & ntp setups makes perfect sense, as long as those policies are made clear & as long as 'advanced' customers can opt out.
With regard to DNS, also allowing Google DNS & OpenDNS makes sense; for ntp, pool.ntp.org, time.apple.com, etc. Most customers will be happy with your infrastructure, plus the popular 3rd-party ones.
---------------------------------------
Roland Dobbins