Actually google is one of the few organizations out there with real reproducible builds. If they gave you the sources and the program image, you could prove the latter was derived from the former.

This has nothing to do with what software they're running internally though, and again as I said even if you can audit and build your own version of the Google DNS infrastructure there's nothing guaranteeing that it's exactly what's running internally.

The problem is that ultimately there is a conflict of interest - Google is an advertising company that benefits from knowing as much as possible about people for ad targeting purposes, and as such some people (like me) might not be willing to trust them.

My personal bias is that I've worked at Google and I've worked elsewhere and I know that Google's control over what code runs in prod is years ahead of the other places I've worked. They have strong controls that audit that binaries running as sensitive roles (roles with access to real user data and logs) were produced from reviewed and submitted code and built in the official hermetic build farm. For very sensitive roles (gmail etc) they audit the command line and everything. The controls everywhere else I've worked are a complete joke by comparison.

This quote is from Google's security infrastructure whitepaper:

"""Google’s source code is stored in a central repository where both current and past versions of the service are auditable. The infrastructure can additionally be configured to require that a service’s binaries be built from specific reviewed, checked in, and tested source code. Such code reviews require inspection and approval from at least one engineer other than the author, and the system enforces that code modifications to any system must be approved by the owners of that system. These requirements limit the ability of an insider or adversary to make malicious modifications to source code and also provide a forensic trail from a service back to its source. """

I don't think the conflict you mention exists. Google benefits when people use the open web. They run DNS because DNS is critical to web user experience and ISP DNS is garbage. Also, by the way, ISP DNS privacy story is a complete disaster.

I am not talking about malicious code contrary to Google's intention being ran on their infrastructure. I am talking about code that Google wants to run. Code that harvests DNS queries for ad targeting might be within Google's objectives and wouldn't be considered as malicious, but it would be malicious when looking at it from the user's point of view.

You're saying that Google has a plan to intentionally subvert their published privacy policy, and act which if discovered would end the company's existence, and that some engineer on the project wrote and another reviewed this change, that none of the dozens of privacy zealots in their internal privacy org[1] have managed to notice, and that the people who operate 8.8.8.8, some of whom are just as privacy-deranged as anyone you've ever met, and who collectively own a disturbing number of fedoras, kilts, and unicycles, who are the biggest nerds you've ever seen, happily run this service 24x7 without blowing the whistle?

Seems unlikely.

1: https://gizmodo.com/meet-the-woman-who-leads-nightwatch-goog...

Facebook has been caught doing that where phone numbers for 2FA purposes that were promised not to be used for ad targeting started being used for exactly that purpose. Facebook is of comparable size and operates within the same regulatory environment as Google, so if they can do it and get away with it there's no reason to believe it would be different for Google.