I was looking at a client's DNS configurations for MX records and noticed that they have just one entry: smtp.google.com At first I thought this was a mistake, but apparently after April 2023 this is now the recommended setting. One record with a "weight" of "1." I've been managing and configuring SMTP services and DNS records for 30+ years and I've always believed (and seen the belief reinforced over time) that DNS is a SPoF (Single Point of Failure) for many organizations. The most impressive outage of the last few years was in October 2021 when folks at Facebook instantly took down Facebook, Instagram and WhatsApp with one mistaken BGP configuration change. Question: Why would Google have put all of their DNS eggs in one basket? Meaning, all of their DNS services behind smtp.google.com (in IPv4 at least) seem to live within one ASN: 15169 with over 11 million IP addresses. They seem exposed to a BGP outage and/or BGP hijacking attack with this setup. References: Google Workspace MX record values 9 & MxToolbox (asn:15169)
Sort By:
Oldest
CISOa month ago
I'm aware of their diversity of A records of course, but when they are all within the same AS that's when I get nervous. I'm sure you're familiar with the 2018 outage, yes?
https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/
CISO in IT Services2 months ago
I agree, historically we've always used multiple entries for redundancy, resilience and failover so that when something went wrong our side would be able to continue to operate.However with the Hyperscale that Google and others have reached the complexity of having and managing all these entries is not as required as it used to be, Google has Global Highly Available, Load Balanced and Disaster Resilient infrastructure which provides the same or a higher level of availability, and now with less complexity.
The BGP side of it is also secured and pretty well architected to prevent most common issues.
The final part of this is that Google has a lot of eyes on this, anything that starts going wrong will get a huge amount of attention and would be quickly resolved.
CISOa month ago
I've not felt confident that the "trust" in BGP is warranted (and it's definitely not part of the protocol). I also feel like BGP hijacking is increasing... looking for data to back me up, I see over 3 million hijacks reported in Q1 2023 on this site:
https://blog.qrator.net/en/q1-2023-ddos-attacks-and-bgp-incidents_171/
Google has also deployed RPKI and other techniques to improve BGP security. They also use route filtering to only accept valid routes from neighboring networks. You can read the short version of it here: https://cloud.google.com/blog/products/networking/how-google-is-working-to-improve-internet-routing-security.
There's a lot more going on here than immediately meets the eye, and it's far less of a SPoF than one may think at first glance.