Security risks of using Google DNS to resolve names on a private net (192.168.x.x)


Are there any known risks associated with using a public DNS versus a DNS which we or our partners control? Our solution involves a few embedded devices so using Google DNS would give us a degree of portability when we deploy in a variety of locations i.e. as long as we have a valid internet connection then we will usually be able to hit Google's DNS (not always true but usually).

Given that I am not an expert on how DNS works, the scenario I can imagine is something like

a) Our router (or other device acting as a DHCP server) assigns an address on the private net via and sends a new record to the DNS.

b) Someone else 'hijacks' that record and points it to something else outside our private NW.

c) Next time something on our private network tries to resolve the name of a machine on the private network it gets redirected to a malicious server.

Is this kind of attack even possible? How does the DNS server establish that updates from our domain really are from our domain? I understand there are best practices for running a DNS server itself but are there any equivalent best practices which you should follow as a client?

Note: I am not bothered about what Google will be able to learn (they won't learn much as we will only be accessing our own services and things like Windows Update, Azure etc). I am more concerned that by using a public service we would be enabling something malicious by a 3rd party.

Best Answer

The attack you're thinking of generally is cache poisoning, where an attacker can force a server to save incorrect information and redirect legitimate traffic to a specific hacker-controlled server. That technique is pretty hard to use though.

If you can control your DNS zone, you can always use DNSSEC to secure your zones' content and ensure that everything is validated before / after transmission.

About the public DNS server, I am sorry but I do not see what it could bring you since you would not be able to push your own records on it. If you are referring to something like Amazon's Route53, well... they could still be hijacked I guess, and you'd still have to update it own way or another.