WordPress.org

Forums

Wordfence Security
"Your DNS records have changed"... No, they have not... (4 posts)

  1. GuardianAngel
    Member
    Posted 1 year ago #

    Hi!

    I get that pretty interesting error message from time to time from Wordfence...

    <<
    Your DNS records have changed

    Old DNS records: blog1.example.com points to example.com
    New DNS records: http://www.example.com points to example.com
    Severity: Warning
    Status New

    We have detected a change in the CNAME records of your DNS configuration for the domain http://www.example.com. A CNAME record is an alias that is used to point a domain name to another domain name. For example foo.example.com can point to bar.example.com which then points to an IP address of 10.1.1.1. A change in your DNS records may indicate that a hacker has hacked into your DNS administration system and has pointed your email or website to their own server for malicious purposes. It could also indicate that your domain has expired. If you made this change yourself you can mark it 'resolved' and safely ignore it.
    >>

    I also got this

    <<
    Old DNS records: false
    New DNS records: http://www.example.com points to example.com
    Severity: Warning
    Status New
    >>

    and a few other interesting variations...

    This is a WordPress multisite installation with a www CNAME that points to example.com (obviously I replacement my domain name with this test one) and a wilcard CNAME that points to example.com.

    It seems like the plugin cannot makes sense of those CNAMEs and complain...

    It's otherwise a wonderful plugin, it would be so nice if this got fixed...

    Thank you!

    Nick

    PS: The http:// in front of the www is not supposed to be there, it's added by this site...

    https://wordpress.org/plugins/wordfence/

  2. tomhouy
    Member
    Posted 1 year ago #

    Are you using Cloudflare as well? If so, I read on some other support forums that this could possibly be a false alarm as Cloudflare is regularly changing stuff on their end.

  3. GuardianAngel
    Member
    Posted 1 year ago #

    Hi!

    No, no CDN/Cloudflare here...

    Some of the entries it complain about do not actually exist, they are handled by a wildcard DNS CNAME...

    In one of my examples above:

    <<
    Old DNS records: blog1.example.com points to example.com
    New DNS records: http://www.example.com points to example.com
    >>

    only http://www.example.com actually exists, blog1.example.com is actually handled by *.example.com...

    They are comparing together records which should not be compared, http://www.example.com and *.example.com...

    Thank you and have a nice day!

    Nick

  4. sdayman
    Member
    Posted 1 year ago #

    Yeah, I get that, too. I use Cloudflare and have a bypass domain to view/edit my site. If I visit "cloudflaredirect.example.com", it'll trigger that DNS warning. I can see that your warnings show blog1 and www, which is similar to what triggers mine.

    Following a WordFence suggestion from some other post, I've turned off the DNS scan.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Wordfence Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.