Hello Damian Menscher, > So, if you didn't do it, and none of the other team-members did it, then > who did? This raises an interesting issue: if an attacker figures out > how to poison the DNS server, nobody would get updates. As unlikely as > that seems, it makes me wonder if we should consider having a backup DNS
we have 7 slave servers + 2 (ghost) masters. > server, or even configure clients to do the HTTP check for updates (on a > very limited basis, like once a day). if they can poison dns, they can also point db.*.clamav.net and database.clamav.net to a server without the latest updates. Falling back to http doesn't solve the problem. > (BTW, this was reported in #clamav, here, and I saw it in my own logs. > So it wasn't just a fluke of someone's local DNS server getting confused > and giving the wrong info. Also, the fact that the timestamp was > correct indicates this was a deliberate change, not the appearance of > some ancient cached data from before 0.86.) > > Some timestamps (in GMT) for the record: > > I saw the problem at 05:37:01, but not at 05:52:00. Bill saw it at > 05:52:07. And lizdeika on IRC reported it at 06:10, though presumably > it had seen it earlier than that. my only explanation is that one of the slave servers hasn't received any update during the last 2 days for the cvd.clamav.net zone. I'll start investigating. I guess the weak point is that I'm not closely monitoring the status of the dns slaves, I only keep an eye on the logs of the master servers through logcheck, but evidently we need something better. I'll make it one of my priorities. Thanks for your reports. Best regards -- Luca Gibelli (luca at clamav.net) - ClamAV, a GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
