We are *still* failing to get ClamAV cvd files updates reliably -- even after deleting mirrors.dat before each attempt!
The basic problem seems to be that the query to (e.g.): daily.24710.85.1.0.6810BB8A.ping.clamav.net fails as often as not (e.g.): Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net The query fails a lot when issued by freshclam, and it also fails (times out) a lot when issued by dig. As far as I can tell by reading the freshclam code, the query is just a DNS query for the A record (as opposed to a TXT record etc.). I presume that the prefix part of the FQDN works like it does for blacklists and indicates whether the prefix is "good" or "bad". As I investigated further, I ran one test which gave a very interesting result: # dig xx.ping.clamav.net ;xx.ping.clamav.net. IN A xx.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 218 IN NS ns4.clamav.net. ns4.clamav.net. 3053 IN A 12.167.151.33 ns4.clamav.net. 3053 IN A 5.9.14.57 ns4.clamav.net. 3258 IN AAAA 2a01:4f8:160:8421::2 Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name server has 2 unrelated IP addresses. The 12.167.151.33 address appears to be leased by Sourcefire from AT&T, but the 5.9.14.57 address is owned by Hetzner.de. If I now do digs explicitly using the 2 different addresses for ns4, the Hetzner one works, but the Sourcefire one doesn't: # while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57 ping.clamav.net. 1200 IN NS ns4.clamav.net. ^C # while true; do dig @12.167.151.33 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN A ping.clamav.net. 86400 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400 ^C This would explain why the DNS query from freshclam is so unreliable. (Is the Sourcefire instance of ns4 even running a DNS server?) This behavior is causing us much grief, because a large number of ClamAV DB updates fail, saying that the mirror is not synchronized, thus adding that mirror to mirrors.dat (which I now automatically delete right before freshclam runs!). Is there anything we can do short of bypassing freshclam, periodically downloading daily.cvd, bytecode.cvd etc., and seeing if they differ from the last download? P.S. Here are traceroutes to the 2 ns4.clamav.net machines; these show that we *do* have the ability to reach both of them: traceroute to ns4.clamav.net (5.9.14.57), 30 hops max, 60 byte packets 1 dslmodem.iment.local (10.25.26.1) 1.108 ms 1.476 ms 1.942 ms 2 216.237.102.1 (216.237.102.1) 36.675 ms 39.009 ms 40.798 ms 3 216.237.98.117 (216.237.98.117) 44.470 ms 46.751 ms 46.998 ms 4 69.46.227.233.lightower.net (69.46.227.233) 79.273 ms 79.554 ms 79.803 ms 5 ae22-bstpmalljp1.lightower.net (104.207.214.80) 74.458 ms 76.358 ms 76.582 ms 6 ae10-bstpmallj93.lightower.net (144.121.35.36) 68.487 ms 69.450 ms 69.548 ms 7 10ge8-1.core1.bos1.he.net (216.66.32.5) 66.711 ms 41.656 ms 42.851 ms 8 100ge12-2.core1.nyc4.he.net (184.105.64.53) 43.861 ms 41.986 ms 42.088 ms 9 100ge11-1.core1.nyc5.he.net (184.105.213.218) 43.702 ms 100ge16-2.core1.lon2.he.net (72.52.92.165) 109.536 ms 112.671 ms 10 100ge6-2.core1.ams1.he.net (72.52.92.214) 145.347 ms 161.222 ms 100ge8-2.core1.dub1.he.net (184.105.65.246) 103.805 ms 11 100ge3-2.core1.man1.he.net (72.52.92.197) 107.707 ms 109.637 ms 109.192 ms 12 100ge16-1.core1.ams1.he.net (184.105.213.65) 128.275 ms core23.fsn1.hetzner.com (213.239.224.249) 128.936 ms 100ge16-1.core1.ams1.he.net (184.105.213.65) 128.679 ms 13 ex9k1.dc7.fsn1.hetzner.com (213.239.229.234) 134.740 ms hetzner.interxionfra4.nl-ix.net (193.239.117.110) 127.076 ms 127.058 ms 14 core23.fsn1.hetzner.com (213.239.224.249) 131.271 ms core24.fsn1.hetzner.com (213.239.224.253) 130.748 ms core23.fsn1.hetzner.com (213.239.224.249) 125.226 ms 15 ns4.clamav.net (5.9.14.57) 127.731 ms 128.609 ms ex9k1.dc7.fsn1.hetzner.com (213.239.229.238) 129.537 ms traceroute to ns4.clamav.net (12.167.151.33), 30 hops max, 60 byte packets 1 dslmodem.iment.local (10.25.26.1) 1.104 ms 1.562 ms 2.070 ms 2 216.237.102.1 (216.237.102.1) 37.613 ms 40.082 ms 41.797 ms 3 216.237.98.117 (216.237.98.117) 43.653 ms 45.999 ms 47.673 ms 4 69.46.227.233.lightower.net (69.46.227.233) 49.435 ms 51.731 ms 53.404 ms 5 ae22-bstpmalljp1.lightower.net (104.207.214.80) 57.317 ms 59.946 ms 61.832 ms 6 ae10-bstpmallj93.lightower.net (144.121.35.36) 61.904 ms 61.712 ms 64.363 ms 7 10ge8-1.core1.bos1.he.net (216.66.32.5) 66.045 ms 39.012 ms 37.544 ms 8 100ge12-2.core1.nyc4.he.net (184.105.64.53) 41.486 ms 41.540 ms 41.395 ms 9 100ge16-1.core1.ash1.he.net (184.105.223.165) 117.502 ms 47.104 ms 57.578 ms 10 eqix-ix-dc6.ciscosystems.com (206.126.237.194) 47.562 ms 46.928 ms 46.960 ms 11 ava-talos2-pp-talos1-vlan2804.vrt.sourcefire.com (198.148.79.102) 48.446 ms 50.351 ms 50.132 ms 12 moist.vrt.sourcefire.com (198.148.79.134) 50.964 ms 50.374 ms 47.583 ms 13 * * * 14 12.167.151.33 (12.167.151.33) 47.663 ms 47.912 ms 47.902 ms _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
