[clamav-users] freshclam logs "DNS record is older than 3 hours."

Joel Esler (jesler) jesler at cisco.com
Fri Jan 29 14:04:24 UTC 2021 


> On Jan 29, 2021, at 7:50 AM, Gary R. Schmidt <grschmidt at acm.org> wrote:
> 
> On 29/01/2021 21:57, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> On Fri, 29 Jan 2021, Gary R. Schmidt wrote:
>>> I've just noticed that freshclam has logged "DNS record is older than 3 hours." twice in the last few days.
>>> 
>>> It's not a problem, I just wonder that the underlying cause could be - is it just that DNS updates somewhere in there are slow on occasion??
>> It's probably not a problem for ClamAV, but if it keeps happening it
>> might indicate there's something which does need your attention.
> [SNIP]
>> If you look at the code in .../libfreshclam/libfreshclam_internal.c at
>> around lines 1590-1640 in the latest version you'll see that (1) this
>> part of the code is only compiled under some circumstances, (2) it is
>> a fallback for when the primary means of getting the database version
>> fails and (3) the warning is only emitted if the time provided by the
>> system and the timestamp on the DNS record differ by more than 10800
>> seconds (a rather nasty hard-coded value in the source).
> Yep, been there and had a look, just in case it was a symptom of something nasty.
> 
>> My first check would be that the timestamps on all the log entries at
>> about the time that the messages were emitted make some sort of sense.
> [SNIP]
> 
> Hi Ged,
> 
> Some background:
> Solaris 11.4 Intel server, patched up to date.
> It's the local DNS, NTP, SMTP, and so forth server.
> 
> The caching DNS talks to OpenDNS first, because I like to get correct-ish answers.
> NTP talks to the various .au.pool.ntp.org servers.
> 
> (I am ancient BOFH, HR will be talking to me about long-term recovery in the next few years.  :-) )
> 
> It logs pretty much everything, and I'd already had a shufty at them, the only thing mentioned around then is freshclam doing its thing.
> 
> But!!
> 
> Your suggestions made a buried memory surface, for some reason we log all the DNS traffic, but under /var/named/log, because who wants all that guff flooding your normal logging area.
> 
> I went and had a look, at the time of the message there was trouble in River City:
> 26-Jan-2021 18:03:16.094 lame-servers: info: REFUSED unexpected RCODE resolving 'play.googleapis.com/TYPE65/IN': 208.67.222.222#53
> 
> With variations, for about a second, in the "auth_servers" channel.
> 
> So possibly there was a problem with getting to the OpenDNS servers, they're only in Sydney, about 10 hops away, but if the network betwixt us got clogged or foosled for a moment that may explain it.
> 
> It doesn't seem to cause any problems, and it is, after all, only a warning, and the databases seem to be updating around midnight here, so I'll not worry about it unless it becomes a fixture.
> 
> Thanx for the prod that reminded me we have other logs.  :-)


For context for the thread, because I may have missed it… what version of ClamAV?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210129/1bcf10c6/attachment.bin>

More information about the clamav-users mailing list