AT&T U-Verse Blocking traffic on 1.1.1.1 (Again?)

dweller · November 21, 2018, 5:16pm

DNS Server 1.0.0.1 is ok:

$ dig one.one.one.one @1.0.0.1 +short
1.1.1.1
1.0.0.1

DNS Server 1.1.1.1 is unresponsive:

$ dig one.one.one.one @1.1.1.1

; <<>> DiG 9.10.6 <<>> one.one.one.one @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

HTTPS is also blocked:
$ curl --head 1.1.1.1
curl: (7) Failed to connect to 1.1.1.1 port 443: Connection refused

HTTPS on 1.0.0.1 is ok:
$ curl --head 1.0.0.1
HTTP/2 200
date: Wed, 21 Nov 2018 17:11:26 GMT
content-type: text/html
last-modified: Thu, 15 Nov 2018 02:54:12 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
cache-control: max-age=600
x-content-type-options: nosniff
expect-ct: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct”
server: Cloudflare
cf-ray: 47d4c6892c9aba78-ATL

Traceroute resolves incorrectly:

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  2.229 ms  1.205 ms  0.993 ms
 2  one.one.one.one (1.1.1.1)  2.345 ms  1.864 ms  1.705 ms

$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  3.110 ms  1.618 ms  1.186 ms
 2  192.168.1.254 (192.168.1.254)  2.041 ms  1.861 ms  1.814 ms
 3  99-125-112-1.lightspeed.nsvltn.sbcglobal.net (99.125.112.1)  29.172 ms  22.802 ms  34.993 ms
 4  99.174.25.10 (99.174.25.10)  24.747 ms  28.078 ms  23.434 ms
 5  99.131.205.130 (99.131.205.130)  24.744 ms * *
 6  12.83.112.17 (12.83.112.17)  26.656 ms
    12.83.112.9 (12.83.112.9)  25.386 ms  24.526 ms
 7  12.122.117.97 (12.122.117.97)  30.676 ms  33.010 ms  31.229 ms
 8  192.205.36.218 (192.205.36.218)  30.014 ms  29.280 ms  29.730 ms
 9  64.86.113.90 (64.86.113.90)  29.330 ms  34.309 ms  31.055 ms
10  one.one.one.one (1.0.0.1)  29.730 ms  29.970 ms  29.746 ms

For what it is worth, I’m also unable to connect to 8.8.8.8. But 8.8.4.4 is ok. But that is not relevant to this forum.

dweller · November 21, 2018, 7:07pm

Quick update: AT&T has fixed the routing issue to 8.8.8.8. But 1.1.1.1 is still blocked for me. 1.0.0.1 works.

sandro · November 21, 2018, 7:10pm

It would seem as if your own network hardware hijacks 1.1.1.1.

What is 192.168.2.1 and what is 192.168.1.254?

dweller · November 21, 2018, 7:11pm

192.168.2.1 is my personal router and 192.168.1.254 is the AT&T supplied router.

sandro · November 21, 2018, 7:12pm

My guess would be the AT&T router hijacks the address in this case. Which model is it?

dweller · November 21, 2018, 7:14pm

It is an AT&T branded box. The diagnostics say:

Manufacturer: Pace Plc
Model: 5268AC

sandro · November 21, 2018, 7:21pm

That seems to be identical to the Arris 5268ac.

There is quite a bit on that out there, also here on the forum FYI: Not working with AT&T U-Verse

Maybe https://www.dslreports.com/forum/r31901379-AT-T-gateway-5268ac-maybe-others-misrouting-1-1-1-0-24 can help too, or https://arstechnica.com/information-technology/2018/05/att-is-blocking-Cloudflares-privacy-focused-dns-calls-it-an-accident/

dweller · November 21, 2018, 7:27pm

Interesting. Thanks for the information. It looks like there is nothing I can do to fix it. I’ll just use 1.0.0.1 for now.

For completeness, I tried running a traceroute directly from the router using the web interface on the router. Here is the result:

To 1.0.0.1 (good):

traceroute 1.0.0.1 with: 64 bytes of data

1: 99.125.112.1(99-125-112-1.lightspeed.nsvltn.sbcglobal.net), time=20 ms
2: 99.174.25.10(99.174.25.10), time=23 ms
3: 99.131.205.130(99.131.205.130), time=23 ms
4: 12.83.112.17(12.83.112.17), time=23 ms
5: 12.122.117.97(12.122.117.97), time=28 ms
6: 192.205.36.218(192.205.36.218), time=26 ms
7: 64.86.113.90(64.86.113.90), time=39 ms
8: 1.0.0.1(one.one.one.one), time=31 ms

And to 1.1.1.1 (bad):

traceroute 1.1.1.1 with: 64 bytes of data

1: 1.1.1.1(one.one.one.one), time=0 ms

sandro · November 21, 2018, 8:05pm

In one of the articles someone mentioned a possible patch being released by AT&T to address that issue. Maybe check if there is such a patch available. You have to use their router I presume, right? Its the DSL modem, isnt it?

devissio · November 21, 2018, 8:13pm

I just checked mine and it is working now tracerouting to 1.1.1.1 is the same as 1.0.0.1

Looks like my DSL modem was rebooted 9 days ago.

Current firmware is 11.1.0.531418-att

I have the same pace modem BTW

yAAiTPkE4Pzr · November 27, 2018, 4:55pm

The AT&T router (as the dslreports links mention) is using 1.1.1.1 for some internal routing. It seems some updates have fixed this, but broken other things. The current workaround is to bypass the router with another box that’s forwarding the ethernet authentication pings to the router. Otherwise, the router isn’t handling any traffic. It’s ridiculous. This is also for their 1 Gig fiber products, I imagine they share modems to some extent.

dweller · November 27, 2018, 5:13pm

Yes. That is correct.

Nice. Mine is still at 10.7.0.530220-att. Hopefully I’ll get the 11.1 update pushed to my router soon and that will fix the issue for me.

owine · November 27, 2018, 7:34pm

You might be able to manually install it if you like:

https://www.dslreports.com/forum/r32138421-Pace-5268AC-New-software-installed-overnight-ver-11-1-0-531418

system · June 18, 2021, 9:51pm