I was looking at a client's DNS configurations for MX records and noticed that they have just one entry: smtp.google.com At first I thought this was a mistake, but apparently after April 2023 this is now the recommended setting. One record with a "weight" of "1." I've been managing and configuring SMTP services and DNS records for 30+ years and I've always believed (and seen the belief reinforced over time) that DNS is a SPoF (Single Point of Failure) for many organizations. The most impressive outage of the last few years was in October 2021 when folks at Facebook instantly took down Facebook, Instagram and WhatsApp with one mistaken BGP configuration change. Question: Why would Google have put all of their DNS eggs in one basket? Meaning, all of their DNS services behind smtp.google.com (in IPv4 at least) seem to live within one ASN: 15169 with over 11 million IP addresses. They seem exposed to a BGP outage and/or BGP hijacking attack with this setup. References: Google Workspace MX record values 9 & MxToolbox (asn:15169)

CloudRisk ManagementAvailability+1 more
394 views1 Upvote4 Comments
Sort By:
Oldest
Director of Information Security2 months ago
Google's public DNS servers use DNSSEC to authenticate responses whenever possible. They also load balance their infrastructure via various means. One example is just a DNS lookup of smtp.google.com, where you are treated with 5 different A records in the answer section. I would also bet that those 5 A records don't represent single-instance servers, either. You may even get different answers depending on your network proximity to various Google properties.

Google has also deployed RPKI and other techniques to improve BGP security. They also use route filtering to only accept valid routes from neighboring networks. You can read the short version of it here: https://cloud.google.com/blog/products/networking/how-google-is-working-to-improve-internet-routing-security.

There's a lot more going on here than immediately meets the eye, and it's far less of a SPoF than one may think at first glance.
1 Reply
CISOa month ago

I'm aware of their diversity of A records of course, but when they are all within the same AS that's when I get nervous. I'm sure you're familiar with the 2018 outage, yes?
https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/

CISO in IT Services2 months ago
I agree, historically we've always used multiple entries for redundancy, resilience and failover so that when something went wrong our side would be able to continue to operate.

However with the Hyperscale that Google and others have reached the complexity of having and managing all these entries is not as required as it used to be, Google has Global Highly Available, Load Balanced and Disaster Resilient infrastructure which provides the same or a higher level of availability, and now with less complexity.

The BGP side of it is also secured and pretty well architected to prevent most common issues.

The final part of this is that Google has a lot of eyes on this, anything that starts going wrong will get a huge amount of attention and would be quickly resolved.
1 Reply
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CISOa month ago

I've not felt confident that the "trust" in BGP is warranted (and it's definitely not part of the protocol). I also feel like BGP hijacking is increasing... looking for data to back me up, I see over 3 million hijacks reported in Q1 2023 on this site:
https://blog.qrator.net/en/q1-2023-ddos-attacks-and-bgp-incidents_171/

Content you might like

Has your organization migrated to the cloud?

CloudPublic CloudHybrid Cloud+2 more

Yes90%

No9%

4.3k views1 Upvote3 Comments

How are you increasing your organization’s cyber resiliency? What are you currently targeting for improvement?

People & LeadershipSecurity Strategy & RoadmapResilience+1 more
CISO in Software21 days ago
It always starts with building a risk profile and D&R plan with cyber being a critical element of the D&R plan.
1
Read More Comments
425 views3 Comments

What best practices for asset management should organizations use to minimize audit risks?

Security Strategy & RoadmapGovernance, Risk & ComplianceRisk Management+1 more
Group Director of Information Security in Banking15 days ago
In the cloud and digitalized world where more and more cloud shared responsibility models are taking away the management and maintenance aspects of hardware and software assets upto the layer of operating system (as in WebApps, ...read more
1
Read More Comments
347 views1 Upvote2 Comments

How many days in advance do you plan if you need to renew, change, or terminate a SaaS app?

CloudApplications & PlatformsEngineering+3 more

Just before the renewal5%

A few days in advance39%

A few weeks in advance24%

A few months in advance29%

A few years or more in advance1%

View Results
6.7k views1 Upvote2 Comments

Policy management relevant to data exchanges with third parties. How are you doing it and who is responsible for enforcing and maintaining those policies?

Data & AnalyticsCloudApplications & Platforms+3 more
Field Chief information Security Officer (CISO) for Public Sector & Client Advisor in Finance (non-banking)21 days ago
In the public sector, especially in state and local governments, this policy management role has traditionally been under the Chief Information Officer (CIO). In many cases there has been a policy team that works with the ...read more
Read More Comments
686 views2 Comments