On 29/01/2021 21:57, G.W. Haywood via clamav-users wrote:
Hi there,
On Fri, 29 Jan 2021, Gary R. Schmidt wrote:
I've just noticed that freshclam has logged "DNS record is older than
3 hours." twice in the last few days.
It's not a problem, I just wonder that the underlying cause could be -
is it just that DNS updates somewhere in there are slow on occasion??
It's probably not a problem for ClamAV, but if it keeps happening it
might indicate there's something which does need your attention.
[SNIP]
If you look at the code in .../libfreshclam/libfreshclam_internal.c at
around lines 1590-1640 in the latest version you'll see that (1) this
part of the code is only compiled under some circumstances, (2) it is
a fallback for when the primary means of getting the database version
fails and (3) the warning is only emitted if the time provided by the
system and the timestamp on the DNS record differ by more than 10800
seconds (a rather nasty hard-coded value in the source).
Yep, been there and had a look, just in case it was a symptom of
something nasty.
My first check would be that the timestamps on all the log entries at
about the time that the messages were emitted make some sort of sense.
[SNIP]
Hi Ged,
Some background:
Solaris 11.4 Intel server, patched up to date.
It's the local DNS, NTP, SMTP, and so forth server.
The caching DNS talks to OpenDNS first, because I like to get
correct-ish answers.
NTP talks to the various .au.pool.ntp.org servers.
(I am ancient BOFH, HR will be talking to me about long-term recovery in
the next few years. :-) )
It logs pretty much everything, and I'd already had a shufty at them,
the only thing mentioned around then is freshclam doing its thing.
But!!
Your suggestions made a buried memory surface, for some reason we log
all the DNS traffic, but under /var/named/log, because who wants all
that guff flooding your normal logging area.
I went and had a look, at the time of the message there was trouble in
River City:
26-Jan-2021 18:03:16.094 lame-servers: info: REFUSED unexpected RCODE
resolving 'play.googleapis.com/TYPE65/IN': 208.67.222.222#53
With variations, for about a second, in the "auth_servers" channel.
So possibly there was a problem with getting to the OpenDNS servers,
they're only in Sydney, about 10 hops away, but if the network betwixt
us got clogged or foosled for a moment that may explain it.
It doesn't seem to cause any problems, and it is, after all, only a
warning, and the databases seem to be updating around midnight here, so
I'll not worry about it unless it becomes a fixture.
Thanx for the prod that reminded me we have other logs. :-)
Cheers,
Gary B-)
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
