A lot of people are worried about the privacy implications of using Google's DNS resolver. Paranoia is good, but it's probably overblown here. As far as I know, the primary objective of the project is to provide a fast, accurate DNS resolver, not to collect data. So much so that when it launched, it was originally called 'Honest DNS', as you can see on this bizarre Twitter account: https://twitter.com/honestdns
edit: Also of interest, Google does disclose exactly what data is logged, for the paranoid and curious: https://developers.google.com/speed/public-dns/privacy
(Disclaimer: I work for Google, but not on this. All of my knowledge of this service comes from being an end user, on the outside. Hopefully I didn't mess up any of the details.)
They introduced it as ISPs were starting to inject advertising via their own DNS, which competes with Google's core business (it's easy to forget that the overwhelming majority of Google's revenue comes from advertising). That's not to say this isn't a good move from Google, but it's very much aligned with their business interests.
This is mentioned in TFA, along with a Wikipedia link  to an entry mentioning several errant ISPs who "use DNS hijacking for their own purposes, such as displaying advertisements".
cough OpenDNS cough
I always assumed it was to improve speed and security on the web.
First, outright faking of dns resolution. Maybe to switch ads on internet pages. Maybe to falsify the pages entirely. Remember how internet in hotels worked 10 years ago ?
Second, lying to improve cost metrics for isps. Say, lying to cdns'es about the users location to use the cheapest connection for the isp. Or just lying to give users a bad connection and save on bandwidth.
Third censorship. Mostly dumb organisations' censorship. School networks in early 2000s are a good example.
Fourth, special support for a number of their products. Starting with, of course, their own cdns, but I don't think it'S limited to that.
I'm not sure you truly comprehend that a few dozen individuals have access some of the most intimate details on the lives of billions of people and they can do pretty much whatever they like with that, barring any roadblocks from the impotent US privacy laws. And not being part of the game is not really an option any more when almost all your friends and relatives are playing.
This is crazy when one thinks about it: whether I want it or not, my information will end up in the databases of some corporation. And I was born before this craziness, but a significant number of people will have their whole lives stored there and the only way to have a modicum of control over our data is the GDPR.
All the vulnerable aspects of an individual - finding a home, a job, getting medical care, etc - can be influenced through the power of information. Undesirable individuals can be harmed or effectively excluded from society without them even suspecting it. But undesirable is such an abstract word... in the past this meant women, homosexuals, jews, union leaders, religious leaders, journalists and so on.
Even without tieing queries to users, DNS logs combined with Google Play activity and Chrome activity probably gives Google a lot of business intelligence about other companies.
>We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.
Seems pretty clear cut.
I haven't read the use policy maybe there is another line item saying they don't use this aggregate data?
It can be collected from a bunch of other sources (eg. Alexa top domains). It also probably isn't a very good indicator. time.ntp.org probably gets a lot of hits...
Also it doesn't protect non-personal entities such as companies.
Maybe competitive analysis (like, to get rough real time numbers of people that use Bing, etc.)? Though that's super niche and there's probably way cheaper ways to get that data.
Maybe it's a Fiber or internet.org kind of play, where by improving infra and access, you expand your own already-saturated market.
Maybe this is the exact reason + some data mining bonus (Not important, but Google can still do it).
Also, if Google is an ISP, without hosting it's own DNS service (Have to rely on other ISP's service) is dangerous.
Its worth noting that Google publicly documents what data they retain from their DNS service requests.
They get to know all your non-HTTP(S) traffic too, of course. Other protocols still exist! Where you make POP3/IMAP/SMTP connections, where you SSH to, that kind of thing.
It is a business that relies on collecting data, monetizing it, and using it to further reinforce its position.
However, I'm really not sure the whole recent debacle over "don't be evil" is really relevant to perceived ethical issues regarding Google. It's not like the motto became "actually, yes, be evil" - as far as I know, it became "do the right thing." And honestly, company cultures are all much more than just a motto.
I speak only for myself, but my feeling is that trust is very personal and if you don't trust Google, that's your right. All I'm discussing are things that I know, not trying to tell you who or what to trust.
For me, this makes them one of the most trustworthy companies when it comes to handling my data. If you know of any cases otherwise, I would love to hear about them.
There are endless examples of shady practices on Google's part, the obvious elephant in the room is ignoring the GDPR.
"And remember… don’t be evil, and if you see something that you think isn’t right – speak up!"
Last thing the employee reads in the document.
In : (8<<24) | (8<<16) | (8<<8)| 8
Incidentally there are 10 types of people, those who understand binary and those who try to write too clever headlines.
>>> dt = pendulum.datetime(2018, 8, 12, 0, 30) # from the article
>>> born = dt.subtract(years=8, months=8, days=8, hours=8)
"GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security."
I prefer to use them over Google and Cloudflare since their whole non-profit mission is DNS.
They also offer a 220.127.116.11 service if you don't want the "Security block list" (I don't like blacklists I don't control).
Australia is a puzzle though.
No. It works well.
> is it blocked by ISPs
> or are those people just overly obsessed with privacy?
I don't know why it's low in usage, bit I can't think of a reason why it wouldn't be low. I don't know anyone who would even think to change their DNS servers.
I don't know what it says for you, but for me it lists everything I do in my life. The restaurants I look at in the Seamless app. The Reddit posts I clicked on in the Reddit app. Every single YouTube video I watch. Everything I search for. All of the places I went yesterday and in the last 6 months.
And these are only my "explicit" actions. Now imagine that Google also passively knows every single web address I look up via DNS? We share private browsing sessions to them all the time regardless of in-cognito mode or any other privacy safeguards.
OK, but it's still used to gather more information about how people are using the internet - what domains are popular, where they are being loaded from, etc. etc. etc.
We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.
Emphasis on personal information and provided. It does not say anything about non personal or inferred personal information imo.
I also have to say I don't understand what you guys' true fear (read: threat model) is. It seems like for Google your criterion is "if they could potentially keep such data, they're automatically dangerous (doubly so if their name is 'Google')", whereas for anyone else not in the advertising business your standard suddenly changes to "I don't care what data they have, as long as I don't see evidence of active misbehavior". To me this sounds like what you really fear is personalized advertising itself rather than an actual privacy or security breach, which doesn't entirely make logical sense considering what the dangers of each of them are.
I never said that. I said that I'm not going to trust a company that has this business model. That by no means implies that I'm going to blindly trust a company with another business model, rather that trust in such a company is possible.
Telling me you wouldn't trust someone who meets some disqualifying criterion isn't useful if you have so many disqualifying criteria that you wouldn't trust anybody, which frankly is the impression I get reading people's comments on this issue. If you have an actual company that you would trust, and a clear rationale for doing so, that's where we can have a real discussion.
You presupposing that it is necessary to send all DNS traffic to one entity. I run a local recursive nameserver (unbound) instead of sending all of my queries to a different nameserver.
Combined with aggressive caching, any particular DNS server (from .ROOT-SERVERS.NET down to the specific authoritative nameservers for a specific domain) is only able to view a tiny subset of my browsing behavior. Most of the time the query to the final authoritative nameserver is to be followed quickly by a TCP SYN packet that reveals roughly the same information.
Yes, running the full recursive resolver locally can be very slightly* slower than asking e.g. the local ISP's server that probably has the query cached. Fortunately, local caching limits this (very minor) problem to only the first request for a domain.
NS records don't change very often. They can see that I looked up the delegation data about "example.com" once every $CACHE_TTL (~months). They do not get repeated queries at the beginning of every session I have with a website.
A lot of security is about being in the habit of minimizing attack surface. The only thing a TLD (or ISP) nameserver needs to know if I want to use the Doomain Name System is "pdkl95 asked for example.com's nameserver once last month" Instead of giving Google (or whomever) an update e.g.:
;; ANSWER SECTION:
news.ycombinator.com. 300 IN A 18.104.22.168
Separating the requests allows for different cache policies. If you simply delegate the entire recursive resolution work to Google (or whomever), they get to record that you needed "www.example.com" every TTL (5min?). You don't even need to see the domain's NS records in that case, so there isn't an opportunity to choose a cache policy.
"No", because the system depends on running a recursive resolver locally to separate queries onto different nameservers.
Aggressive caching of NS records for TLDs doesn't do anything to prevent a single upstream nameserver from leaning your pattern of life from the frequent DNS lookups for A records that are not cached longer than normal.
Setting $CACHE_TTL to "months" on everything, and doing nothing else.
> I'm still sending frequent short-TTL (normal caching) DNS lookups for most hosts that would betray my pattern-of-life in aggregate.
Your system does that. This theoretical mildly-inferior system would not have frequent DNS lookups for any record type.
That will break a lot.
DNS isn't static; IPs regularly change as servers move, CDNs are introduced/changed. Long-term caching only works on NS records because changing DNS delegations is relatively rare. NS record caching does cause problems, but they are infrequent. Caching the addresses of the actual servers will break some things within days, and most of the internet the next time each server is updated/moved/etc.
Even if they don't use your traffic history to help with personalized advertising, they could conceivably use it for other things (e.g., bot detection, usage stats).
Even if you have an evil ISP, and they're selling your data for $0.50/month, you're still paying them $50/month for service. A bunch of angry customers could change their policy quickly. Few ISPs would try to squeeze those extra quarters from you, given the potential blow-back (some do, and they'll get their comeuppance). However generally, ISPs incentives are to keep you as a customer and get your fitty beans every month.
However, with Google, it's not clear why they are giving DNS services away for free or what they're getting in return. It clearly costs them some money to do so, and they're not being paid for it directly. It's possible that they're doing it purely altruistically, but they also have an extremely long history of using data for advertising or other forms of monetization.
I'm not saying that if you use 22.214.171.124, you'll search ads will target you. But I would bet they use your anonymized browsing history to fight bots, test internet speeds at various locations, identify browser technology, and who knows what.
And regarding this bit:
> I'm not saying that if you use 126.96.36.199, you'll search ads will target you.
Hm, well others here have been suggesting this would be the case.
> But I would bet they use your anonymized browsing history to fight bots, test internet speeds at various locations, identify browser technology, and who knows what.
Even if I take this at face value, how are these things you listed bad things? If my DNS queries are going to fight bots, by all means, please fight bots! If they're going to help them improve internet speeds, by all means, they should do that! That's what data is good for. Everyone here is freaking out about privacy, not improved service. (!)
That said, they are selling a service, and you're paying for it. Quite a bit for it. It would be pretty stupid for AT&T to use your DNS data and risk your $150/month cable, phone, internet subscription for an extra buck or two.
But with Google, you just don't know and their entire business model is predicated on selling your data. They are almost certainly using their DNS servers for some data-based operation.
And a last quasi-technical point... I'm sure AT&T and Comcast have good engineers on staff, but I'm even more sure that Google has better ones. I am less concerned about AT&T and Comcast because I honestly don't think they have the wherewithal and talent to come up with ways to monetize DNS. I'm pretty sure Google could.
There is no point in discussing what companies might do in some theoretical framework - they do not care about your privacy, they monetize NXDOMAIN, etc. This isn't about what might happen - these abuses have already happened.
My own ISP already knows all the ips I connect to, so telling them what the domains are doesn't tell them much, especially as the trend towards ipv6 means that multiple-domains-on-one-ip has gotten less popular.
Cloudflare's main prerogative isn't to sell clicks the way google's is, which earns it points already. In addition, if you believe the official documents, they permanently log a lot less than google.
I would also, needless to say, feel ok hosting my own dns.
Quad9 and opendns both filter content, and as such I don't trust them because the fact that they're willing to do that means that they are willing to censor content if they so choose.
I don't know any other dns servers off the top of my head.
> I would also, needless to say, feel ok hosting my own dns.
Yeah let's avoid options that 99%+ of people wouldn't find realistic.
> Quad9 and opendns both filter content, and as such I don't trust them because the fact that they're willing to do that means that they are willing to censor content if they so choose.
Right, I think I agree on that.
> Cloudflare's main prerogative isn't to sell clicks the way google's is, which earns it points already.
Sure, some points there for the increased likelihood of hypothetical data mishandling due to their incentives.
OTOH, don't forget it was Google who found this issue in CloudFlare, which earned Google some points and earned CloudFlare /quite/ the demerits in my book... and note that this was an _actual_ massive security incident, not a hypothetical one: https://blog.cloudflare.com/incident-report-on-memory-leak-c...
> My own ISP already knows all the ips I connect to, so telling them what the domains are doesn't tell them much, especially as the trend towards ipv6 means that multiple-domains-on-one-ip has gotten less popular.
I find this to be quite the odd argument for most people (maybe you're in the 1% of people who uses unconventional ISPs or email/search/map/etc. sites). Not only do major ISPs (thinking e.g. Comcast, AT&T here) not exactly have a great reputation on the privacy or security front (wasn't it just a few days ago someone posted about your home address being linked to your IP on Comcast?) -- meaning whatever data they do collect is prone to being hacked even if you believe they're really honestly keeping it private, which I'm not sure I always would -- but for most people Google already knows pretty much their life. And on top of that, they do their own tracking with Google Analytics, so they already know what websites most people are visiting -- not just from home, but also from work and on the go. And unlike with your ISP, it's likely already linked to your personal identity, not just your household or work office.
Oh, and in case you would like your advice to apply to those who have, say, Comcast, may I point you to quotes like this :
> Comcast today said it has "no plans" to sell its customers' individual Web browsing histories, but Comcast can still deliver personalized ads based on its customers' browsing history. Comcast, the nation's largest home Internet provider, said it will continue to offer customers a way to opt out of targeted ads.
I don't know about you, but I would be shocked if they did this solely based on IP and did not find DNS information to be important for this task.
I don't quite understand this one. Are you saying that you have an expectation that all software be bug-free? That just doesn't happen, unfortunately. Cloudflare had a problem, they fixed it promptly and then published a post-mortem on it. That, imo, is exactly what should happen. And as for google, it was discovered by their dedicated team of security researchers. Having such a team arguably reflects well on google, but do remember that monolithic corporations such as google are rarely unified.
That's a difference between Apple and Google - Apple is at least partially in the hardware business. Google is in the ad business - the surveillance business - full stop. And I say this as a fan of Google and someone who still uses their public DNS. But it's not surprising that people wonder how they use data.
But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit.
Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism."
Now what I'm not seeing is exactly which company's DNS is avoiding what credible harm that people here believe is potentially likely to result from using Google DNS.
As far as Google (or any company, really) internally is concerned, the fact that they are merely "using" the data for themselves (to show you ads, or whatever) is not itself a harm to you. (And maybe worth mentioning, they have used a lot of information to make life a lot better for everyone, like location for traffic data.) The harm would be if they used it to (say) discriminate against you in advertising goods/services, or to harass you, or if they did not secure it properly and your data leaked, etc. None of these are things I'm aware of happening inside Google, but if you know of evidence of this happening, I would love to know.
As far as Google is concerned externally, the only threat you seem to have hinted at here is that you believe they are likely to sell your data to other parties who are then likely to abuse them (such as by harassing you directly, or sharing/exposing your data online to others who might harm you). I have seen no evidence that this has been the case with Google (or Facebook) either -- which should make sense given that you believe user data is their most important asset -- but again, if you have any, by all means do share.
Pervasive Monitoring Is an Attack:
You're right, a threat is potential damage, these things are done damage.
But it does. If you need a product generally you would just go out and buy it. Ads are psychologically manipulating you to buy things you don’t need and spend your limited time on this Earth doing things that aren’t beneficial to you. It wasn’t too bad when it was just billboards and TV slots but now it’s you vs the algorithms on a personal level.
1. Targeted ads requires enormous machineries of surveillance and file-keeping. Having too much information in closely related form is akin to having too much uranium in close proximity; it causes problems all of its own almost just by merely existing.
2. Ads in general, even the beneficial ones are, by definition, distracting from whatever content we were trying to read. See: São Paulo’s “Cidade Limpa”.
You are welcome to believe that Google is just actively causing harm. But I don't understand why you'd specifically do this for them but not other businesses.
Especially since people asking that generally know nothing about the people who criticize a thing, and what else they might criticize in other contexts. It's not like they're busy criticizing some bigger evil and criticism of $thing_under_current_discussion blocks their noble work. At worst they're doing nothing, yet expect others who are doing something -- even if that's just making one decision against one product or company, rather than zero, and making one comment about their own personal actual stance, instead of about synthesized hypothetical persons -- to take some time out of their day to answer pointless "questions".
I personally try to advocate for good privacy education at places of work, study and play usually with a combination of a) the naritive / context, b) Provide simple examples (of why it probably matters), c) Explain with metaphors, and d) Give some simple advice where possible.
It’s not a perfect strategy but I think it does noticeably help lift the awareness bar.
> “Google Public DNS does not PERMANENTLY store personally identifiable information.”
You have to be very, very careful with services like this especially when it comes to Google, Facebook and Microsoft (and the companies they own), they use weasel wording in documents like this almost all the time and it’s clearly with intent to /seem/ as if they’re good citizens rather than to _prove_ that they are.
> Google Public DNS stores two sets of logs: temporary and permanent.
> The temporary logs store the full IP address of the machine you're using.
> We delete these temporary logs within 24 to 48 hours.
> In the permanent logs, we don't keep personally identifiable information or IP information.
"Permanently" is not weasel-worded here.
When an easy alternative is a company that doesn't have a reason to store this data, why not choose them?
My Google activity page shows a big fat "No Activity". I have no doubt that they have plenty of my personal data rattling around on various servers, but Google at least pay lip service to offering you control over your data. European data regulators would be extremely displeased if they learned that these controls don't actually do what they purport to do.
You mean 3x faster for you, right? We're talking about a geographically distributed system here... for me it's not too different. Or do you mean their DNS servers are somehow by their nature 3x faster than Google's at responding?
Cloudflare are a CDN company. Running a fast geographically distributed system is their core competence.
Google I have essentially no trust in at all anymore (or maybe ever), Cloudflare I trust to a ‘reasonable’ degree; by that I mean I don’t believe they would (at the and leading up to the time of writing this comment) sell identifiable user data from their 188.8.131.52 DNS service and they have a very high technical skill level when it comes to internet security especially with regards to routing and network metadata. However it’s still not ideal or even slightly close to perfect security and while I’d trust Cloudflare over Google in a heartbeat - like anything that could change and better options that are also easy to use may (will likely) pop up.
note that in the (wonderful) GDPR world, its very hard for Google to do a sleight of hand with this stuff and actually be doing anything mischievous.
Unless I missed a press release announcing Google's acquisition of Seamless and Reddit, this seems impossible. AFAIK MyActivity doesn't track what you do inside non-Google apps.
And it's been saying that saying that since I clicked 'Activity controls' on the side there, and unticked every box.
I don't for a moment believe it's all Google has on me, but you don't have to live with it.
I use a different Gmail account for maps.
I use DuckDuckGo for search.
Instead of Google I use third parties for everything else they do that they listed on here that they track.
My history/activity on their servers was limited outside of tracking my location.
I would love a decent alternative to Google Maps but nothing I’ve used comes close.
(Disclaimer, below is about maps, and my personal anecdote. Ignore as necessary.)
(Though I must say, I'm in the process of trialing a new mapping app. Because Google have failed me.
I live in a suburb that was created 2 years ago. It replaced part of an old suburb, and a new area that hadn't been assigned. They created a new postcode for this new suburb too. Two years on, Google doesn't know it exists, so my address doesn't exist. It has my road, but no name, no numbers.
I tried out OSM And+ (via FDroid), and Android mapping program, based mostly on OpenStreetMaps. It has my suburb, and my address. Since about 1 year, 10 months ago. The directions are flawless, and it has a decent GPS voice.
However, it doesn't have as decent coverage of the Points-Of-Interest stuff that Google Maps has, but I'm fine with that, never used them anyway, apart from finding the nearest fast food place or gas station on a long trip.
And the public transport stuff is hit & miss. But I can't keep up with bus timelines in my area myself, they change about once every 3 months because of strikes.)
In short, the observation that “there are no whistleblowers” is not proof of the non-existence of a conspiracy.
The only thing you can realistically do is to evaluate the incentives of all the parties involved. And, sure, Google’s public promises of privacy (weasel-words or not), provide some incentive for them. But you also have to look at their actual risk of getting caught. How many people inside Google would they need to siphon off this data, analyze it, and re-inject it into their existing personal models (shadow profiles) of everyone? Call it “additional weight-adjustment from machine learning” or something. No-one outside the small group could then see that the extra data came from data analysis. Would the small risk of one of these few people blowing the whistle be worth it for Google, who absolutely depend on having the best information about everyone?
No. Public DNS isn't even 1 decade old and Google already has massive insight from google analytics, adsense/adwords, the doubleclick network, android and store, chrome browser, chrome os, google search, google maps, gmail, youtube, google play, google fiber, google fi, google cloud platform, and all the various web properties that carry 1st-party cookies that easily get around Safari's misguided cookie war and have GDPR consent.
Trying to secretly sneak in some crappy DNS data is not worth it at all.
Why do you think you know this for sure then?
There are limits, however, to how private you can get. Most people have email accounts through google, which means if you correspond with someone by email, even if your email isn't gmail, google is still analyzing what you wrote (they claimed to no longer be doing this, but I have no reason to believe them). As such, it is your job (not the parent specifically, but anyone reading this) to fight back against google's monopoly on information! Set up a private mail server for friends and family. Pressure work to use amazon or microsoft (not much better, but better nevertheless) for enterprise services over google. (This one may be easier as there are legitimate horror stories regarding gcp and gsuite that you can point to, such as the recent incident of someone's gcp account getting completely frozen without warning and reason for 3 days.) Above all, however, make sure not to look like you're wearing a tinfoil hat. Sound reasonable and if someone doesn't want to switch, don't push too hard; you lose credibility that way.
Crazy, interesting, and a little scary.
It knows my political affiliation, movies I like, music I listen to, kind of work I do, my financials, my weaknesses as a programmer, what clothes my kids wear, what books I read, what mobile apps I use and how often, videos I watch and who the fuck knows what else under the covers.
Disgusting. How does one run away from this?
(I agree that for privacy DNS over https is good, but the resolver still sees your dns queries)
Dnscrypt-proxy spreads your queries across multiple servers and keeps them private.
If you can afford consider running dnscrypt server yourself. 
> This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.
> it is because of 184.108.40.206
> try 220.127.116.11
But compare that answer, to the continued technical breakdowns given by CloudFlare as they tried to work out why archive.is is returning an inaccessible IP based an request IP.
CloudFlare attempted to determine why there was a problem, archive.is shrugged it off.
"returning answers tailored to the IP address of the requestor" is normal and correct behavior for most large websites, the problem is that one of those IP addresses is wrong. Specifically, when the requester is CloudFlare, archive.is is returning a CloudFlare internal IP address instead of their own. I'm guessing where they got that IP address is that it's the requester, and where they got mixed up is that virtually all high-volume DNS requesters that appear overnight are DDoS attacks.
Or are they claiming archive.is is explicitly blacklisting the cloudflare IP range? If that is the case it seems odd they are claiming the upstream is misconfigured as opposed to explicitly blocking them. Something does not add up correctly.
They do not handle it at all. Remember that the responses are tailored to the IP address of the client, i.e. Cloudflare's back end. It is not Cloudflare that is doing that tailoring. So the question that you should be asking is how come archive.is did that tailoring for (as you claim at any rate, although I suspect that no-one has exhaustively tested this before claiming it) every single other DNS provider and not Cloudflare.
Indeed, if you read what you replied to, you'll find that it's the inverse of that situation. archive.is answers are explicitly tailored by archive.is for whenever it is, specifically, Cloudflare asking. So the question that you should be asking is how come archive.is is saying that it is on a Cloudflare-hosted CDN ("cdn-wo-ecs.archive.is", mapped to Cloudflare hosting IP addresses), but only saying that when it is Cloudflare asking.
Once you ask that latter question, you'll get to the meat of the issue, which is that archive.is demands that Cloudflare et al. pass on (most of) your IP address to them, and returns fake name-to-address mappings for Cloudflare and indeed anyone else who says that (for privacy or otherwise) they are not going to pass on that kind of ultimate client identifying information to archive.is nor to anyone else.
(It's archive.is tailoring its response where there is no EDNS0 client subnet, a.k.a. ECS, information, for the technical. That's what the "wo-ecs" means.)
Look at the incentive and core business of the two companies.
Cloudflare is not in the business of mining as much data about you as possible. They don't sell ads and don't make money trying to make you fit into a profile. They have zero incentive to keep an history of all your DNS requests.
Google on the other hand, claim they don't do it but it will make complete sense for their business to do it.
Your username is anothergoogler; do you work for Google?