FYI: Not working with AT&T U-Verse


#1

Thanks for the new public DNS Service.
I can use the secondary DNS (1.0.0.1) but not the primary.
Primary works on AT&T Wireless.
Fails on AT&T U-Verse DSL.

That said, it may not be AT&T that are blocking it. My WiFi is via Google WiFi and maybe they are blocking it, or the AT&T DSL Modem is blocking it, or maybe AT&T U-Verse are.

I can ping, and I can traceroute to 1.1.1.1, can’t curl or DNS there.
I can DNS if I use the IPv6 address and I can use 1.0.0.1


#2

It will probably help the networking tema if you post a traceroute, since you can do it.


#3

I have the same issue with Charter/Spectrum. As @matteo says, do a traceroute.

I sent my traceroute to customer support at Spectrum. Hopefully they can open it up. For now, I’m using 1.0.0.1


#4

Yes it appears with AT&T at least some of their modems has a 1.1.1.1 route in their firmware, so at some point hopefully they will release a new firmware update for it… In the meantime I think you’re set using the 1.0.0.1 and IPv6 addresses.

At least a couple of folks at AT&T are aware of the issue, but I am sure they would love to hear from you as well. :slight_smile:


#5

I’m on U-verse in Riverside, CA. I can reach https://1.1.1.1/, and I can use cleartext port 53 UDP resolving with 1.1.1.1, 1.0.0.1, and the IPv6 addresses. I cannot use DNS over TLS with the Unbound resolver on Debian Wheezy, the base distribution of my Vyatta-based EdgeMax router.

Most queries to all four IPs, both the IPv4 and both the IPv6, return a lot of:

query response was nodata ANSWER

in the verbose logs.

Traceroute to 1.1.1.1 follows:

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  10.0.0.1 (10.0.0.1)  0.919 ms  0.617 ms  0.586 ms
 2  192.168.1.254 (192.168.1.254)  2.849 ms  1.411 ms  1.759 ms
 3  75-19-172-1.lightspeed.rvsdca.sbcglobal.net (75.19.172.1)  24.908 ms  62.559 ms  26.941 ms
 4  71.147.134.21 (71.147.134.21)  28.427 ms  26.443 ms  23.474 ms
 5  * * *
 6  12.83.38.201 (12.83.38.201)  26.561 ms
    12.83.38.205 (12.83.38.205)  21.588 ms  26.423 ms
 7  ggr2.la2ca.ip.att.net (12.122.128.97)  27.834 ms  27.345 ms  24.243 ms
 8  * * *
 9  if-ae-2-2.tcore2.lvw-los-angeles.as6453.net (66.110.59.2)  62.722 ms
    if-ae-30-2.tcore1.eql-los-angeles.as6453.net (206.82.129.18)  57.453 ms
    if-ae-2-2.tcore2.lvw-los-angeles.as6453.net (66.110.59.2)  61.769 ms
10  if-ae-6-2.tcore1.eql-los-angeles.as6453.net (64.86.252.66)  54.850 ms
    206.82.129.227 (206.82.129.227)  26.186 ms
    if-ae-6-2.tcore1.eql-los-angeles.as6453.net (64.86.252.66)  57.742 ms
11  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  28.505 ms  22.601 ms
    206.82.129.227 (206.82.129.227)  23.067 ms

Notice that a Tata Communications IP also responds on the last hop of the trace.

E: It looks like it may be that my version of Unbound is just to heckin’ old. It’s version 1.4.17, which was released in 2012. I’m going to try building a package based on the latest, targeting Wheezy, using a Wheezy MIPS Qemu VM.

E2: It works just fine if I configure Unbound to use the four IPs (IPv4+6) with TLS disabled, port 53 UDP. I do have no idea whether they’re just intercepting my traffic and stuffing it into their own DNS servers instead of honoring my traffic and forwarding it to Cloudflare. Or if they’re logging any of the requests, for that matter.

So, clear DNS to Cloudflare works from Riverside, CA, if I configure my DNS proxy properly, which accepts requests for the entire home network.


#6

I have AT&T 1Gig Fiber and I also am unable to connect to 1.1.1.1. The alternative IP works though (1.0.0.1).

Tracert:

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms GT-AC5300-4180 [10.0.0.1]
2 17 ms 4 ms 9 ms 172-14-176-1.lightspeed.dllstx.sbcglobal.net [172.14.176.1]
3 4 ms 3 ms 4 ms 71.155.13.102
4 * * * Request timed out.
5 11 ms 10 ms 4 ms 12.83.80.233
6 9 ms 6 ms 12 ms 12.123.18.229
7 3 ms 4 ms 4 ms 192.205.36.206
8 4 ms 4 ms 6 ms 66.110.56.158
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.


#7

I have AT&T Fibre with a BGW-210 router, though I use my own internal router I am forced to use AT&T’s border router that they fully control.

I had no problem using Cloudflare DNS 1.1.1.1 or 1.0.0.1 from around April 1st until April 10. Starting on April 10, any traffic with destination IP of 1.1.1.1 or 1.0.0.1 on any port stops dead at the AT&T router.

Coincidentally, well, probably not, AT&T pushed an update to the BGW-210 router on April 10 at 04:00:

2018-04-10T01:42:08.567662-04:00 L6 FMWR[9826]: find_and_cmp_compat_filename(), flash block size 0x80
2018-04-10T01:42:08.567823-04:00 L6 FMWR[9826]: do_image_compatibility_check(), Compat file found: image is valid.
2018-04-10T01:42:33.181601-04:00 L6 FMWR[9826]: main(), Firmware Installation succeeded

Why would an ISP push an update that includes blocking to Cloudflare’s DNS? Perhaps they want to snoop through our Internet traffic?

traceroute - 192.168.2.1 is my Asus router. 192.168.1.254 is the AT&T BGW-210.

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
1 aether (192.168.2.1) 4.292 ms 0.947 ms 0.854 ms
2 * * *
3 * * *
4 * * *
5 * *^C

traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets
1 aether (192.168.2.1) 4.237 ms 0.897 ms 0.817 ms
2 192.168.1.254 (192.168.1.254) 1.095 ms 1.102 ms 0.935 ms
3 192.168.1.254 (192.168.1.254) 3205.895 ms !H 3068.970 ms !H 3074.089 ms !H


#8

I should also add the traceroute when I enable and connect to the wifi on the BGW-210 directly.

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
1 * * *
2 * * *
3 * * *
^C

traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets
1 dsldevice (192.168.1.254) 8.675 ms 3.682 ms 0.960 ms
2 dsldevice (192.168.1.254) 3109.475 ms !H 3069.568 ms !H 3071.957 ms !H


#9

I am in the Detroit, MI area on AT&T Fiber and can confirm that a firmware update to my BGW210 device has stopped me from being able to reach 1.1.1.1 or 1.0.0.1 from my router (EdgeRouter Pro) or any devices attached to it. My BGW210 is setup in an “IP Passthrough” configuration so my attached ER-Pro gets a public IP.

Traceroute to 1.1.1.1 and 1.0.0.1 from my router (ER-Pro) do not complete as expected:

[email protected]:~$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
(…)

[email protected]:~$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
1 192.168.1.254 (192.168.1.254) 0.196 ms 0.144 ms 0.137 ms
2 192.168.1.254 (192.168.1.254) 3006.826 ms !H 3006.520 ms !H 3006.009 ms !H

However, if I do a traceroute from the BGW210 via the web interface I get very different results:

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 0.269 ms 0.145 ms 0.101 ms

traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 38 byte packets
1 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 3006.089 ms !H 3004.644 ms !H 3005.969 ms !H

What’s doubly odd is that I can ping 1.1.1.1 from the BGW210 via the web interface and it returns sub-1ms responses which seems strangely fast but it is a fiber connection so I suppose it is possible? If I ping 1.0.0.1 it does not return anything.

Not sure if this is deliberate blocking on AT&T’s part. I think it looks more like someone at AT&T completely screwed up on the latest update for these devices.


#10

Likewise, I cannot use 1.1.1.1, but 1.0.0.1 is satisfactory. I am on ATT Uverse service with their router. Where can I find config instructions for the Pace 5268AC Router?

I am on a DSL copper connection verified +50Mb/s connection. This traceroute is through the above router. The other wireless devices are either integral to the router or bridged to it.

Looks like I could use the Cloudflare free DNS Resolver IP, but don’t know if the router can be set to this DNS in its internal setup, or whether I should use the IPv4, IPv6 or both working addresses. Advice, please.

Traceroute has started…

traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 72 byte packets
1 homeportal (192.168.1.254) 1.162 ms 0.650 ms 0.436 ms
2 107-137-228-2.lightspeed.jcvlfl.sbcglobal.net (107.137.228.2) 19.831 ms 44.586 ms 20.491 ms
3 99.132.13.62 (99.132.13.62) 20.167 ms 24.459 ms 19.436 ms
4 12.83.101.17 (12.83.101.17) 23.042 ms 21.199 ms 19.896 ms
5 12.122.117.97 (12.122.117.97) 32.314 ms 31.656 ms 32.324 ms
6 192.205.36.218 (192.205.36.218) 33.732 ms 33.006 ms 33.113 ms
7 64.86.113.90 (64.86.113.90) 32.027 ms 32.355 ms 33.133 ms
8 1dot1dot1dot1.cloudflare-dns.com (1.0.0.1) 31.950 ms 33.997 ms 33.383 ms


#11

Similar setup here. BGW-210 and Orbi combo, with IP Passthrough enabled. Switched to 1.1.1.1 and 1.0.0.1 on April 1st and everything worked great. Go out of town on business this week and get a panicked call from my wife on April 11th stating that nothing works anymore, which is always fun. Resetting the DNS to ATT default or Google’s servers resolves the issue. Neither 1.1.1.1 or 1.0.0.1 work for me. Even enabling the GW’s builtin WiFi (which I don’t normally use) and connecting directly to the GW, I get the following:

traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  * * *
traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets
 1  dsldevice (192.168.4.254)  3.672 ms  2.419 ms  2.427 ms
 2  dsldevice (192.168.4.254)  3009.408 ms !H  3050.200 ms !H  3009.146 ms !H
traceroute 1dot1dot1dot1.cloudflare-dns.com
traceroute: Warning: 1dot1dot1dot1.cloudflare-dns.com has multiple addresses; using 1.0.0.1
traceroute to 1dot1dot1dot1.cloudflare-dns.com (1.0.0.1), 64 hops max, 52 byte packets
 1  dsldevice.attlocal.net (192.168.4.254)  6.875 ms  3.404 ms  3.862 ms
 2  dsldevice.attlocal.net (192.168.4.254)  3063.349 ms !H  3072.056 ms !H  3071.338 ms !H
traceroute 1dot0dot0dot1.cloudflare-dns.com
traceroute: Warning: 1dot0dot0dot1.cloudflare-dns.com has multiple addresses; using 104.16.112.25
traceroute to 1dot0dot0dot1.cloudflare-dns.com (104.16.112.25), 64 hops max, 52 byte packets
 1  dsldevice.attlocal.net (192.168.4.254)  2.618 ms *  2.707 ms
 2  107-197-152-1.lightspeed.rlghnc.sbcglobal.net (107.197.152.1)  72.910 ms  3.666 ms  3.995 ms
 3  99.173.76.196 (99.173.76.196)  3.571 ms  3.217 ms  3.215 ms
 4  99.134.77.82 (99.134.77.82)  9.355 ms  4.015 ms  3.909 ms
 5  99.134.77.45 (99.134.77.45)  3.930 ms  3.974 ms  4.132 ms
 6  12.83.103.13 (12.83.103.13)  6.620 ms
    12.83.103.33 (12.83.103.33)  8.154 ms  7.055 ms
 7  12.123.138.178 (12.123.138.178)  15.649 ms  15.795 ms  18.464 ms
 8  12.122.2.190 (12.122.2.190)  15.975 ms  13.262 ms  13.317 ms
 9  12.122.113.37 (12.122.113.37)  16.203 ms  14.915 ms  15.197 ms
10  192.205.37.54 (192.205.37.54)  14.761 ms  13.802 ms  14.614 ms
11  ae-0.cloudflare.asbnva02.us.bb.gin.ntt.net (131.103.117.34)  15.730 ms  13.323 ms  13.809 ms
12  104.16.112.25 (104.16.112.25)  13.524 ms  13.282 ms  13.014 ms
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  dsldevice (192.168.4.254)  4.902 ms  2.338 ms  2.623 ms
 2  107-197-152-1.lightspeed.rlghnc.sbcglobal.net (107.197.152.1)  5.353 ms  4.736 ms  3.982 ms
 3  99.173.76.196 (99.173.76.196)  3.814 ms  4.832 ms  4.554 ms
 4  99.134.77.82 (99.134.77.82)  4.217 ms  5.953 ms  3.700 ms
 5  99.134.77.45 (99.134.77.45)  4.149 ms  5.191 ms  3.523 ms
 6  12.83.103.13 (12.83.103.13)  4.841 ms
    12.83.103.33 (12.83.103.33)  12.938 ms  8.134 ms
 7  12.123.138.178 (12.123.138.178)  15.739 ms  12.834 ms  16.081 ms
 8  cr1.attga.ip.att.net (12.122.2.161)  16.021 ms  16.404 ms  15.677 ms
 9  gar1.nsvtn.ip.att.net (12.122.96.85)  12.487 ms  12.310 ms  14.371 ms
10  12.255.10.4 (12.255.10.4)  12.645 ms  13.715 ms
    12.255.10.12 (12.255.10.12)  12.988 ms
11  * * *
12  209.85.254.81 (209.85.254.81)  13.815 ms
    64.233.174.184 (64.233.174.184)  16.235 ms
    216.239.54.219 (216.239.54.219)  13.544 ms
13  google-public-dns-a.google.com (8.8.8.8)  12.472 ms
    216.239.54.227 (216.239.54.227)  12.582 ms
    216.239.54.131 (216.239.54.131)  13.394 ms

So I can’t use these DNS’ either via configuration to the Orbi or directly on the device. It does indeed appear that ATT is purposefully blocking. 1.0.0.1 allows some services to work, but not all, so I either have to rely on a secondary DNS server or just remove altogether. This is the kind of behavior that will force me to switch services. Thankfully I live in an area where I have multiple options for Gigabit internet.