What are the data retention policies for ISPs regarding DNS logs, IP connections, and packet metadata across major providers?

1. Law vs practice: who actually forces ISPs to keep data?

Legislative regimes drive retention in many countries: the EU and some national laws historically required broad retention (the EU directive was later struck down), Australia enacted two‑year mandatory metadata retention, and other nations maintain similar rules — these laws dictate what metadata ISPs must hold and for how long ^{[1] [3]}. By contrast, the United States “does not have any Internet Service Provider (ISP) mandatory data retention laws similar to the European Data Retention Directive,” so retention in the U.S. is primarily determined by ISPs’ internal policies, commercial needs, or specific legal process ^{[1] [2] [4]}.

2. DNS logs: short windows for many public resolvers, longer for operators

Public DNS resolvers publish explicit policies: Google Public DNS keeps temporary logs with IP addresses and query details for about 24–48 hours and then retains anonymized, aggregated logs for longer-term analysis ^[5]. Cloudflare’s 1.1.1.1 emphasized short retention and “not storing user‑identifiable data,” and privacy DNS providers such as Quad9 similarly minimize or avoid personally identifiable logging ^[6]. Managed/cloud DNS (AWS, Google Cloud, Microsoft) typically give customers control: logging can be enabled and retention configured — meaning enterprises, not the DNS vendor, often set retention windows ^{[6] [8]}.

3. IP assignments, DHCP and session logs: big variance and few universal standards

ISPs record which customer had which IP at a given time because law enforcement uses that mapping; retention periods vary from months to years depending on country, provider, and business need. In the U.S. there’s no federal retention mandate, so ISPs set policies (commonly cited ranges include 6–24 months, but values vary) and may preserve data longer in backups or for operational reasons ^{[9] [10] [11] [12]}. Historical proposals and bills (e.g., U.S. legislative proposals) have sought to require ISPs to retain user‑to‑IP mappings, showing political pressure to standardize retention, but those are proposals, not universal rules ^[13].

4. Packet metadata and “NetFlow”/connection records: kept for security and operations

Network metadata (NetFlow/IPFIX, firewall logs, packet captures) is valuable for security and network management; enterprises and ISPs log it to detect anomalies and investigate incidents. Providers and security vendors stress that metadata has high investigative value while consuming less storage than full packet captures — but retention is governed by operational policy, regulatory demands, and storage cost trade‑offs ^{[14] [15] [16]}.

5. What providers disclose vs what they might keep in backups

Many ISPs claim limited active retention windows in privacy notices, yet legal or technical realities mean copies or backups can persist longer. Public DNS operators are more transparent about deletion windows (e.g., Google’s 24–48 hours) while ISPs’ privacy policies and annual notices (e.g., Cox) confirm DNS and connection metadata are aggregated and used for analytics or security ^{[5] [17]}. Independent watchdogs (EFF) warn mandatory retention regimes compel ISPs to create large databases of who‑communicates‑with‑whom and can override data‑protection limits ^[2].

6. Practical implications for users and defenses

If you want to limit what an ISP logs: use privacy‑focused resolvers (Cloudflare, Quad9, NextDNS) or encrypted DNS (DoH/DoT) and VPNs/Tor to reduce direct visibility of DNS and destination IPs — but note these shift trust to the resolver or VPN operator and may not eliminate layer‑3 metadata ^{[6] [7] [18]}. Also, enterprise and cloud customers can configure DNS and logging retention when using managed services ^[6].

7. Gaps in available reporting and how to get specifics

Available sources outline country laws and some vendor policies, but do not provide a comprehensive, up‑to‑date table of “major ISPs” retention periods by company and country. For precise retention windows for a named ISP or DNS operator, current company privacy policies and regulator filings are the decisive sources — not all of which are summarized in these reports (not found in current reporting).

Context and potential agendas: privacy advocates (EFF, privacy guides) emphasize civil‑liberties harms and push minimal logging; ISPs and governments emphasize law enforcement and national security uses and cite operational needs and cost ^{[2] [13] [3]}. That tension explains why policy and practice remain fragmented rather than uniform across “major providers” ^{[1] [2]}.