DNS log data is not used by Google for any purpose. Their privacy policy is actually stronger than Cloudflare's for DNS services.
The reason Google provides DNS should be obvious: when people experience a better web, Google makes more money. ISP DNS fuckery is bad for users. Since Google already needs to cache the DNS for its internal purposes, presenting it to the public as a service is close to free for them.
The surveillance is additive (unless you use). Since DNS traffic is not encrypted, the ISP still sees everything even if you switch it, and now so does Google.
The practical benefit is that some ISPs run bad DNS servers that e.g. automatically redirect nxdomains to their spam pages. If you use Google or Cloudflare you can bypass this particular anti-feature.
>The practical benefit is that some ISPs run bad DNS servers that e.g. automatically redirect nxdomains to their spam pages. If you use Google or Cloudflare you can bypass this particular anti-feature.
As I discussed here[0], my goto DNS server is 192.168.xxx.91.
Which is to say I run my own recursive resolver. This avoids ISP DNS server issues as well as other issues (like these[1][2]). Also, Google/Cloudflare/whoever don't get to log my DNS queries.
Since ISPs generally see DNS queries from the gateway and not individual hosts, wouldn't your ISP still be able to see those requests?
AFAIK, the only way to prevent your ISP from collecting the domains you visit is if you use something like dns over https. Even then, you're tls connection leaks the domain via sni (hopefully this hole will get plugged by tls 1.3).
>Since ISPs generally see DNS queries from the gateway and not individual hosts, wouldn't your ISP still be able to see those requests?
Of course. Just as they can see every other packet that comes out of my network.
>AFAIK, the only way to prevent your ISP from collecting the domains you visit is if you use something like dns over https. Even then, you're tls connection leaks the domain via sni (hopefully this hole will get plugged by tls 1.3).
Actually, they can capture or log all your network traffic if they want, not just DNS traffic.
As for DoH/DoT, that's a huge can of worms that I dislike immensely. Why? Because it uses tcp/443. As such, any device that I don't roll myself (roku, fire stick, etc.) could (and with wider adoption, will) perform their own DoH/DoT requests that I can't intercept with my network-based ad/tracking/spying blocker (e.g., Pi-Hole).
That means that blocking ads/tracking is going to become enormously more difficult, unless I block tcp/443, limiting my ability to connect to pretty much any website these days.
And I am much more concerned about that than I am about my ISP logging netflow[0] data, or even capturing all my packets.
What's more, they are extremely unlikely to do the latter. Even with cheap storage, capturing all my packets (and even just the hundreds of other customers that connect to my head-end, let alone the millions of customers they have) isn't economically (or likely even physically) viable.
That said, if you're afraid that your ISP might be doing so, I suggest using a VPN. Then they only see the envelope of the encrypted VPN traffic and that's it.
Given that most data is going to be encrypted anyway (https, ssh, etc.), the fact that they can see where I'm going (which they need to know anyway to route the packets) doesn't really concern me.
As such, if my ISP really wants to capture all my DNS queries and other network connections (assuming they do so for all their customers, as I'm not anyone state-level actors are interested in), they're going to need some ginormous data centers for all that data storage.
Yes, NSA has their ginormous data center in Utah, but they're pulling data from Tier 1 peering points and nothing I do will impact that -- not even using a VPN.
As I said, I'm much more concerned with ads/tracking/spyware, as that's much more likely to be tied to me personally, as those folks want to maintain the fiction that they can effectively "target" advertising at me so they can keep charging the advertisers more and more.
So unless you're someone who some state actor wants to mess with (in which case, you're hosed anyway), blocking the corporate ad spies is more useful than worrying about your ISP. I'd note that Google is one of the biggest of those spies too.
As such, I'm going to focus on a real threat to my privacy that I can actually do something about (which includes doing my own recursive DNS queries), rather than worrying about stuff over which I have no control.
