AT&T U-Verse Blocking traffic on 1.1.1.1 (Again?)

dweller · 2018-11-21 17:16:35 UTC

DNS Server 1.0.0.1 is ok:

$ dig one.one.one.one @1.0.0.1 +short
1.1.1.1
1.0.0.1

DNS Server 1.1.1.1 is unresponsive:

$ dig one.one.one.one @1.1.1.1

; <<>> DiG 9.10.6 <<>> one.one.one.one @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

HTTPS is also blocked:
$ curl --head 1.1.1.1
curl: (7) Failed to connect to 1.1.1.1 port 443: Connection refused

HTTPS on 1.0.0.1 is ok:
$ curl --head 1.0.0.1
HTTP/2 200
date: Wed, 21 Nov 2018 17:11:26 GMT
content-type: text/html
last-modified: Thu, 15 Nov 2018 02:54:12 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
cache-control: max-age=600
x-content-type-options: nosniff
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
server: cloudflare
cf-ray: 47d4c6892c9aba78-ATL

Traceroute resolves incorrectly:

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  2.229 ms  1.205 ms  0.993 ms
 2  one.one.one.one (1.1.1.1)  2.345 ms  1.864 ms  1.705 ms

$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  3.110 ms  1.618 ms  1.186 ms
 2  192.168.1.254 (192.168.1.254)  2.041 ms  1.861 ms  1.814 ms
 3  99-125-112-1.lightspeed.nsvltn.sbcglobal.net (99.125.112.1)  29.172 ms  22.802 ms  34.993 ms
 4  99.174.25.10 (99.174.25.10)  24.747 ms  28.078 ms  23.434 ms
 5  99.131.205.130 (99.131.205.130)  24.744 ms * *
 6  12.83.112.17 (12.83.112.17)  26.656 ms
    12.83.112.9 (12.83.112.9)  25.386 ms  24.526 ms
 7  12.122.117.97 (12.122.117.97)  30.676 ms  33.010 ms  31.229 ms
 8  192.205.36.218 (192.205.36.218)  30.014 ms  29.280 ms  29.730 ms
 9  64.86.113.90 (64.86.113.90)  29.330 ms  34.309 ms  31.055 ms
10  one.one.one.one (1.0.0.1)  29.730 ms  29.970 ms  29.746 ms

For what it is worth, I’m also unable to connect to 8.8.8.8. But 8.8.4.4 is ok. But that is not relevant to this forum.

dweller · 2018-11-21 19:07:46 UTC

Quick update: AT&T has fixed the routing issue to 8.8.8.8. But 1.1.1.1 is still blocked for me. 1.0.0.1 works.

sandro · 2018-11-21 19:10:09 UTC

It would seem as if your own network hardware hijacks 1.1.1.1.

What is 192.168.2.1 and what is 192.168.1.254?

dweller · 2018-11-21 19:11:46 UTC

192.168.2.1 is my personal router and 192.168.1.254 is the AT&T supplied router.

sandro · 2018-11-21 19:12:38 UTC

My guess would be the AT&T router hijacks the address in this case. Which model is it?

dweller · 2018-11-21 19:14:28 UTC

It is an AT&T branded box. The diagnostics say:

Manufacturer: Pace Plc
Model: 5268AC

sandro · 2018-11-21 19:21:40 UTC

That seems to be identical to the Arris 5268ac.

There is quite a bit on that out there, also here on the forum FYI: Not working with AT&T U-Verse

Maybe https://www.dslreports.com/forum/r31901379-AT-T-gateway-5268ac-maybe-others-misrouting-1-1-1-0-24 can help too, or https://arstechnica.com/information-technology/2018/05/att-is-blocking-cloudflares-privacy-focused-dns-calls-it-an-accident/

dweller · 2018-11-21 19:27:06 UTC

Interesting. Thanks for the information. It looks like there is nothing I can do to fix it. I’ll just use 1.0.0.1 for now.

For completeness, I tried running a traceroute directly from the router using the web interface on the router. Here is the result:

To 1.0.0.1 (good):

traceroute 1.0.0.1 with: 64 bytes of data

1: 99.125.112.1(99-125-112-1.lightspeed.nsvltn.sbcglobal.net), time=20 ms
2: 99.174.25.10(99.174.25.10), time=23 ms
3: 99.131.205.130(99.131.205.130), time=23 ms
4: 12.83.112.17(12.83.112.17), time=23 ms
5: 12.122.117.97(12.122.117.97), time=28 ms
6: 192.205.36.218(192.205.36.218), time=26 ms
7: 64.86.113.90(64.86.113.90), time=39 ms
8: 1.0.0.1(one.one.one.one), time=31 ms

And to 1.1.1.1 (bad):

traceroute 1.1.1.1 with: 64 bytes of data

1: 1.1.1.1(one.one.one.one), time=0 ms

sandro · 2018-11-21 20:05:07 UTC

In one of the articles someone mentioned a possible patch being released by AT&T to address that issue. Maybe check if there is such a patch available. You have to use their router I presume, right? Its the DSL modem, isnt it?

devissio · 2018-11-21 20:13:25 UTC

I just checked mine and it is working now tracerouting to 1.1.1.1 is the same as 1.0.0.1

Looks like my DSL modem was rebooted 9 days ago.

Current firmware is 11.1.0.531418-att

I have the same pace modem BTW

yAAiTPkE4Pzr · 2018-11-27 16:55:49 UTC

The AT&T router (as the dslreports links mention) is using 1.1.1.1 for some internal routing. It seems some updates have fixed this, but broken other things. The current workaround is to bypass the router with another box that’s forwarding the ethernet authentication pings to the router. Otherwise, the router isn’t handling any traffic. It’s ridiculous. This is also for their 1 Gig fiber products, I imagine they share modems to some extent.

dweller · 2018-11-27 17:13:48 UTC

Yes. That is correct.

Nice. Mine is still at 10.7.0.530220-att. Hopefully I’ll get the 11.1 update pushed to my router soon and that will fix the issue for me.

owine · 2018-11-27 19:34:38 UTC

You might be able to manually install it if you like:

https://www.dslreports.com/forum/r32138421-Pace-5268AC-New-software-installed-overnight-ver-11-1-0-531418