[clamav-users] freshclam logs "DNS record is older than 3 hours."

Gary R. Schmidt grschmidt at acm.org
Fri Jan 29 12:50:52 UTC 2021 

On 29/01/2021 21:57, G.W. Haywood via clamav-users wrote:
> Hi there,
> 
> On Fri, 29 Jan 2021, Gary R. Schmidt wrote:
> 
>> I've just noticed that freshclam has logged "DNS record is older than 
>> 3 hours." twice in the last few days.
>>
>> It's not a problem, I just wonder that the underlying cause could be - 
>> is it just that DNS updates somewhere in there are slow on occasion??
> 
> It's probably not a problem for ClamAV, but if it keeps happening it
> might indicate there's something which does need your attention.
> 
[SNIP]
> If you look at the code in .../libfreshclam/libfreshclam_internal.c at
> around lines 1590-1640 in the latest version you'll see that (1) this
> part of the code is only compiled under some circumstances, (2) it is
> a fallback for when the primary means of getting the database version
> fails and (3) the warning is only emitted if the time provided by the
> system and the timestamp on the DNS record differ by more than 10800
> seconds (a rather nasty hard-coded value in the source).
> 
Yep, been there and had a look, just in case it was a symptom of 
something nasty.

> My first check would be that the timestamps on all the log entries at
> about the time that the messages were emitted make some sort of sense.
> 
[SNIP]

Hi Ged,

Some background:
Solaris 11.4 Intel server, patched up to date.
It's the local DNS, NTP, SMTP, and so forth server.

The caching DNS talks to OpenDNS first, because I like to get 
correct-ish answers.
NTP talks to the various .au.pool.ntp.org servers.

(I am ancient BOFH, HR will be talking to me about long-term recovery in 
the next few years.  :-) )

It logs pretty much everything, and I'd already had a shufty at them, 
the only thing mentioned around then is freshclam doing its thing.

But!!

Your suggestions made a buried memory surface, for some reason we log 
all the DNS traffic, but under /var/named/log, because who wants all 
that guff flooding your normal logging area.

I went and had a look, at the time of the message there was trouble in 
River City:
26-Jan-2021 18:03:16.094 lame-servers: info: REFUSED unexpected RCODE 
resolving 'play.googleapis.com/TYPE65/IN': 208.67.222.222#53

With variations, for about a second, in the "auth_servers" channel.

So possibly there was a problem with getting to the OpenDNS servers, 
they're only in Sydney, about 10 hops away, but if the network betwixt 
us got clogged or foosled for a moment that may explain it.

It doesn't seem to cause any problems, and it is, after all, only a 
warning, and the databases seem to be updating around midnight here, so 
I'll not worry about it unless it becomes a fixture.

Thanx for the prod that reminded me we have other logs.  :-)

	Cheers,
		Gary	B-)

More information about the clamav-users mailing list