Interesting find! Out of curiosity, what was the content of the emails you sent and how exactly did they bring you to uncover these workstation names?

Just a dummy e-mail. You'll get back either an error response or the IP address of the machine.

I'm guessing empty message, check for error status later. Just send a bunch of emails, see which hostnames resolve (vs not).

Whats the point of disclosing this information?

I'd imagine if you were to gain access to the Google internal network, now you have a list of machines that are more than likely running a common software platform you can apply a list of known exploits against. Directory servers also may have elevated privileges or trust relationships that can be spoofed.

I agree. What's the point of internal DNS entries being disclosed? I highly doubt they're routable externally and I imagine Gmail uses internal DNS as it is also the email system used by the company (I've heard there are pockets of Exchange there though, no sure how true that is).

Most MXs use internal and external DNS to prevent routing internal emails to the big bad internet unnecessarily.

haha :D nice hack.