[SOLVED] freshclam won't fetch updates - uses wrong DNS
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On a new machine (Ubuntu 10.04.2), the freshclam program (in the package clamav-freshclam version 0.96.5+dfsg-1ubuntu1.10.04.2) won't do updates. It fails on DNS queries. DNS is working for other programs OK. Diagnosis with tcpdump shows that it is sending the queries to 127.0.0.1 instead of the actual DNS servers designated in the /etc/resolv.conf file. Of course it won't get an answer because it is querying the wrong IP address.
There is a --no-dns option which I tried, but that doesn't help.
Any idea if freshclam or clamav needs its own config of DNS servers?
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
AllowSupplementaryGroups false
PidFile /var/run/clamav/freshclam.pid
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
Here's what tcpdump is showing for port 53. Not only is it querying the wrong IP address, but it's also doing a burst of duplicate queries very fast (4 in 63 microseconds for the first TXT). If I manually do a TXT query to current.cvd.clamav.net I get an answer just fine.
Code:
08:35:25.295119 IP 127.0.0.1.40676 > 127.0.0.1.53: 55502+ TXT? current.cvd.clamav.net. (40)
08:35:25.295151 IP 127.0.0.1.52681 > 127.0.0.1.53: 55502+ TXT? current.cvd.clamav.net. (40)
08:35:25.295167 IP 127.0.0.1.51193 > 127.0.0.1.53: 55502+ TXT? current.cvd.clamav.net. (40)
08:35:25.295182 IP 127.0.0.1.33819 > 127.0.0.1.53: 55502+ TXT? current.cvd.clamav.net. (40)
08:35:25.295202 IP 127.0.0.1.49832 > 127.0.0.1.53: 44723+ ANY? current.cvd.clamav.net. (40)
08:35:25.295212 IP 127.0.0.1.51336 > 127.0.0.1.53: 44723+ ANY? current.cvd.clamav.net. (40)
08:35:25.295222 IP 127.0.0.1.47979 > 127.0.0.1.53: 44723+ ANY? current.cvd.clamav.net. (40)
08:35:25.295231 IP 127.0.0.1.47340 > 127.0.0.1.53: 44723+ ANY? current.cvd.clamav.net. (40)
08:35:25.295516 IP 127.0.0.1.41048 > 127.0.0.1.53: 22059+ AAAA? db.local.clamav.net. (37)
08:35:25.295530 IP 127.0.0.1.59351 > 127.0.0.1.53: 22059+ AAAA? db.local.clamav.net. (37)
08:35:25.295540 IP 127.0.0.1.37092 > 127.0.0.1.53: 22059+ AAAA? db.local.clamav.net. (37)
08:35:25.295549 IP 127.0.0.1.58401 > 127.0.0.1.53: 22059+ AAAA? db.local.clamav.net. (37)
08:35:25.295561 IP 127.0.0.1.51697 > 127.0.0.1.53: 28599+ AAAA? db.local.clamav.net. (37)
08:35:25.295570 IP 127.0.0.1.52355 > 127.0.0.1.53: 28599+ AAAA? db.local.clamav.net. (37)
08:35:25.295579 IP 127.0.0.1.37009 > 127.0.0.1.53: 28599+ AAAA? db.local.clamav.net. (37)
08:35:25.295588 IP 127.0.0.1.41981 > 127.0.0.1.53: 28599+ AAAA? db.local.clamav.net. (37)
08:35:25.295602 IP 127.0.0.1.35514 > 127.0.0.1.53: 48878+ A? db.local.clamav.net. (37)
08:35:25.295612 IP 127.0.0.1.53578 > 127.0.0.1.53: 48878+ A? db.local.clamav.net. (37)
08:35:25.295621 IP 127.0.0.1.48566 > 127.0.0.1.53: 48878+ A? db.local.clamav.net. (37)
08:35:25.295630 IP 127.0.0.1.43387 > 127.0.0.1.53: 48878+ A? db.local.clamav.net. (37)
08:35:25.295641 IP 127.0.0.1.42895 > 127.0.0.1.53: 3265+ A? db.local.clamav.net. (37)
08:35:25.295650 IP 127.0.0.1.35925 > 127.0.0.1.53: 3265+ A? db.local.clamav.net. (37)
08:35:25.295659 IP 127.0.0.1.33292 > 127.0.0.1.53: 3265+ A? db.local.clamav.net. (37)
08:35:25.295668 IP 127.0.0.1.54427 > 127.0.0.1.53: 3265+ A? db.local.clamav.net. (37)
08:35:30.295955 IP 127.0.0.1.57666 > 127.0.0.1.53: 31847+ TXT? current.cvd.clamav.net. (40)
08:35:30.295978 IP 127.0.0.1.44928 > 127.0.0.1.53: 31847+ TXT? current.cvd.clamav.net. (40)
08:35:30.295996 IP 127.0.0.1.41168 > 127.0.0.1.53: 31847+ TXT? current.cvd.clamav.net. (40)
08:35:30.296017 IP 127.0.0.1.44753 > 127.0.0.1.53: 31847+ TXT? current.cvd.clamav.net. (40)
08:35:30.296044 IP 127.0.0.1.36691 > 127.0.0.1.53: 50377+ ANY? current.cvd.clamav.net. (40)
08:35:30.296065 IP 127.0.0.1.54421 > 127.0.0.1.53: 50377+ ANY? current.cvd.clamav.net. (40)
08:35:30.296086 IP 127.0.0.1.50888 > 127.0.0.1.53: 50377+ ANY? current.cvd.clamav.net. (40)
08:35:30.296104 IP 127.0.0.1.50470 > 127.0.0.1.53: 50377+ ANY? current.cvd.clamav.net. (40)
08:35:30.296290 IP 127.0.0.1.45186 > 127.0.0.1.53: 14108+ AAAA? db.local.clamav.net. (37)
08:35:30.296310 IP 127.0.0.1.48772 > 127.0.0.1.53: 14108+ AAAA? db.local.clamav.net. (37)
08:35:30.296332 IP 127.0.0.1.38488 > 127.0.0.1.53: 14108+ AAAA? db.local.clamav.net. (37)
08:35:30.296352 IP 127.0.0.1.39416 > 127.0.0.1.53: 14108+ AAAA? db.local.clamav.net. (37)
08:35:30.296378 IP 127.0.0.1.35921 > 127.0.0.1.53: 29730+ AAAA? db.local.clamav.net. (37)
08:35:30.296397 IP 127.0.0.1.46104 > 127.0.0.1.53: 29730+ AAAA? db.local.clamav.net. (37)
08:35:30.296417 IP 127.0.0.1.55857 > 127.0.0.1.53: 29730+ AAAA? db.local.clamav.net. (37)
08:35:30.296435 IP 127.0.0.1.42458 > 127.0.0.1.53: 29730+ AAAA? db.local.clamav.net. (37)
08:35:30.296462 IP 127.0.0.1.47446 > 127.0.0.1.53: 15236+ A? db.local.clamav.net. (37)
08:35:30.296483 IP 127.0.0.1.50525 > 127.0.0.1.53: 15236+ A? db.local.clamav.net. (37)
08:35:30.296502 IP 127.0.0.1.42912 > 127.0.0.1.53: 15236+ A? db.local.clamav.net. (37)
08:35:30.296521 IP 127.0.0.1.59542 > 127.0.0.1.53: 15236+ A? db.local.clamav.net. (37)
08:35:30.296543 IP 127.0.0.1.52595 > 127.0.0.1.53: 46396+ A? db.local.clamav.net. (37)
08:35:30.296564 IP 127.0.0.1.39945 > 127.0.0.1.53: 46396+ A? db.local.clamav.net. (37)
08:35:30.296582 IP 127.0.0.1.55263 > 127.0.0.1.53: 46396+ A? db.local.clamav.net. (37)
08:35:30.296602 IP 127.0.0.1.57221 > 127.0.0.1.53: 46396+ A? db.local.clamav.net. (37)
I found the problem with the help of strace, which showed it was trying to read /etc/resolv.conf and getting permission denied. It is a bad default apparmor config in the clamav-freshclam package, possibly as packaged by Ubuntu. I added the ability to read /etc/resolv.conf by editing /etc/apparmor.d/usr.bin.freshclam, reloaded the apparmor profiles, and it now works. It did come with an email address of someone at Ubuntu, so I will email them about the issue. If they were running a DNS server on the machine that freshclam is being tested on, they would not have noticed a problem (for other machines) since the resolver falls back to trying 127.0.0.1.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.