Scan shows DNS change – while there is none?

  • Resolved aadjan

    (@aadjan)


    5 years, 2 months ago

    Dear all, my wordfence reports an issue after a scan. The issues is a “DNS Change” issue. Now in the last two months we haven’t changed our DNS records, I checked my DNS records at my DNS service provider and reviewed online history (as per answer of a related topic). All seems to be well?!

    However marking it as fixed doesn’t seem to matter because the next scan again shows the issue again.

    In addition the listing of “Old DNS records:” vs. “New DNS records:” seems to be wrong in the Wordfence issue report. Only one of them shows so I cannot compare the old vs. new.

    o) How is the check performed, is there some data stored in the database locally or at the wordfence servers?
    o) Should I be worried that my domain name is under frequent attack?
    o) or am I missing something else?

    Please help.
    –Aadjan

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • iframe

    (@iframe)

    5 years, 2 months ago

    we haven’t changed our DNS records

    Did anyone in your team recently sign up for Content delivery network (CDN)?

    Thread Starter aadjan

    (@aadjan)

    5 years, 2 months ago

    Thanks for this question. The answer is no.

    wfdave

    (@wfdave)

    5 years, 2 months ago

    Hi @aadjan,

    Wordfence keeps track of your DNS records via your database.

    Can I have you run this query to see what the current values are?

    SELECT name, val FROM wp_wfconfig WHERE name = "wf_dnsA" or name = "wf_dnsCNAME" or name = "wf_dnsLogged" or name = "wf_dnsMX" or name = "wp_home_url" or name = "wp_site_url";

    wf_dnsA -> what IP your hostname should point to
    wf_dnsCNAME -> another URL that points to your site
    wf_dnsLogged -> 1 if your site has logged a previous DNS record, 0 otherwise
    wf_dnsMX -> emails records

    wp_home_url -> the hostname that we should lookup for DNS records

    Run the query before and after a scan, to see if the values change.

    Dave

    Thread Starter aadjan

    (@aadjan)

    5 years, 2 months ago

    Hi @wfdave I see no value change, here my output:
    +————–+————————————————+
    | name | val |
    +————–+————————————————+
    | wf_dnsA | http://www.brigitvarenkamp.nl points to 83.96.252.136 |
    | wf_dnsCNAME | |
    | wf_dnsLogged | 1 |
    | wf_dnsMX | |
    | wp_home_url | https://www.brigitvarenkamp.nl |
    | wp_site_url | https://www.brigitvarenkamp.nl |
    +————–+————————————————+
    6 rows in set (0.00 sec)

    Thread Starter aadjan

    (@aadjan)

    5 years, 2 months ago

    Hi @wfdave, as a follow-up I did check the WordFence diagnostics page to find that the curl php module was not installed. Remedied that and ran the scan again. Now NO ERROR and the following content in the database:
    +————–+——————————–+
    | name | val |
    +————–+——————————–+
    | wf_dnsA | |
    | wf_dnsCNAME | |
    | wf_dnsLogged | 1 |
    | wf_dnsMX | |
    | wp_home_url | https://www.brigitvarenkamp.nl |
    | wp_site_url | https://www.brigitvarenkamp.nl |
    +————–+——————————–+

    Please let me know if you think that a missing curl module could be the cause.

    Thanks and regards,
    –Aadjan

    wfdave

    (@wfdave)

    5 years, 2 months ago

    Hi again,

    Wordfence uses your host’s DNS server to lookup hostnames. I think that the lookup server is sometimes not working, which is causing your database to have an empty wf_dnsA.

    The next time the lookup server does work, it will fill-in a different wf_dnsA which will trigger another warning.

    If you have access to SSH on your host, can you type in the command nslookup?
    For example, it may return Server: 8.8.8.8 (where 8.8.8.8 is the domain server)

    If you don’t have access, could you ask your host provider to tell you what DNS server they are using?

    Dave

    Thread Starter aadjan

    (@aadjan)

    5 years, 2 months ago

    Output of nslookup:
    $ nslookup wordfence.com
    Server: 127.0.0.53
    Address: 127.0.0.53#53

    I am unfamiliar with the setup of dns on my server, tried following as well:
    $ systemd-resolve –status
    Global
    DNS Servers: 79.170.92.7
    194.60.207.52
    194.60.207.53
    8.8.8.8
    … (rest omitted from this post).

    @wfdave: does this make it clearer?

    Thread Starter aadjan

    (@aadjan)

    5 years, 2 months ago

    Scans run smoothly now. Thanks for all the help!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Scan shows DNS change – while there is none?’ is closed to new replies.