WebSense posted an alert of a case of “DNS poisoning in the caches of a major China-based ISP”, security engineer Dan Kaminsky’s recent warnings about just how serious a cache poisoning exploit could become.
Report shows DNS resolution calls placed to the IP address of Chinese ISP Netcom using the command line tool nslookup, redirected to a completely different source whose IP address is linked to China. There, WebSense says, instead of the user’s regular home page or Web mail, he’ll see instead some links to exploits for RealPlayer, Adobe Flash Player, and Microsoft Snapshot Viewer.
DNS cache poisoning is certainly not a new concept. In fact, it could very well date back to the Master’s thesis of then-Purdue student Christoph Schuba in 1993. “Because the Domain Name System is distributed among many thousands of hosts, it can be a critical mistake to blindly trust the resolved binding,” Schuba wrote 15 years ago. “This thesis shows that under some assumptions it is no major effort to falsify the host name and authorization for a system.”
WebSense’s research has only uncovered evidence that a DNS exploit had occurred through cache poisoning, though it is probably impossible to discern through that evidence alone whether the method used was Kaminsky‘s.