US, TDS Fiber, ActionTec T3200M block 1111 and 1001

US TDS Fiber (wicked fast! :grinning: )using ActionTec T3200M router, running all the OSes: Fedora, Ubuntu, Raspian, Android, even Windows. Can’t reach 1.1.1.1. Here are tests:

$ dig example.com @1.1.1.1

; <<>> DiG 9.11.13-RedHat-9.11.13-2.fc30 <<>> example.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig example.com @1.0.0.1

; <<>> DiG 9.11.13-RedHat-9.11.13-2.fc30 <<>> example.com @1.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig example.com @8.8.8.8

; <<>> DiG 9.11.13-RedHat-9.11.13-2.fc30 <<>> example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48891
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 7382 IN A 93.184.216.34

;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 31 16:55:07 EST 2019
;; MSG SIZE rcvd: 56

$ dig +short CHAOS TXT id.server @1.1.1.1
;; connection timed out; no servers could be reached

$ dig +short CHAOS TXT id.server @1.0.0.1
;; connection timed out; no servers could be reached

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 _gateway (192.168.1.1) 3.821 ms 3.758 ms 3.710 ms
2 _gateway (192.168.1.1) 3055.260 ms !H 3055.264 ms !H 3055.230 ms !H

$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
1 _gateway (192.168.1.1) 3.339 ms 3.221 ms 3.155 ms
2 _gateway (192.168.1.1) 3028.722 ms !H 3028.679 ms !H 3030.091 ms !H

$ dig +tcp @1.1.1.1 id.server CH TXT
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: host unreachable.

$ dig +tcp @1.0.0.1 id.server CH TXT
;; Connection to 1.0.0.1#53(1.0.0.1) for id.server failed: host unreachable.

$ openssl s_client -connect 1.1.1.1:853
140354131887936:error:02002071:system library:connect:No route to host:crypto/bio/b_sock2.c:110:
140354131887936:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=113

$ openssl s_client -connect 1.0.0.1:853
140454055118656:error:02002071:system library:connect:No route to host:crypto/bio/b_sock2.c:110:
140454055118656:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=113

$ curl -H ‘accept: application/dns-json’ ‘https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA
{“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: true,“CD”: false,“Question”:[{“name”: “cloudflare.com.”, “type”: 28}],“Answer”:[{“name”: “cloudflare.com.”, “type”: 28, “TTL”: 151, “data”: “2606:4700::6811:af55”},{“name”: “cloudflare.com.”, “type”: 28, “TTL”: 151, “data”: “2606:4700::6811:b055”}]}

1 Like

Is the T3200M connected to an ONT via the RJ-45 WAN port? If so, do you have another device you can swap out temporarily to rule out the T3200M? If not, is it connected via MoCA (coax) or RJ-11 (DSL)?

1 Like

Of course, how embarrassing. I can swap out the router for a test. :facepalm:

Thanks, @Zenexer !

The ActionTec T3200M connects to WAN via an RJ-45, I guess to the Optical Network Terminal.

Sure enough, an old dusty D-Link DIR-655 dragged out of the back of the closet connected to 1.1.1.1 fine: via a browser, using dig and all the other tests:

$ dig example.com @1.1.1.1

; <<>> DiG 9.11.13-RedHat-9.11.13-2.fc30 <<>> example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6695
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 8851 IN A 93.184.216.34

;; Query time: 14 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Jan 01 14:12:57 EST 2020
;; MSG SIZE rcvd: 56

$ dig +short CHAOS TXT id.server @1.1.1.1
“IAD”

$ dig +tcp @1.1.1.1 id.server CH TXT

; <<>> DiG 9.11.13-RedHat-9.11.13-2.fc30 <<>> +tcp @1.1.1.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29188
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;id.server. CH TXT

;; ANSWER SECTION:
id.server. 0 CH TXT “IAD”

;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Jan 01 14:13:51 EST 2020
;; MSG SIZE rcvd: 54

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 * _gateway (192.168.1.1) 0.605 ms 0.721 ms
2 * cntcnhhed11-dy1001-secondary24.network.tds.net (96.61.80.1) 2.547 ms 2.833 ms
3 h64-50-239-76.mdsnwi.tisp.static.tds.net (64.50.239.76) 11.308 ms 11.336 ms 11.374 ms
4 206.126.237.30 (206.126.237.30) 17.568 ms 19.959 ms 17.543 ms
5 one.one.one.one (1.1.1.1) 16.936 ms 19.164 ms 16.934 ms

I will pursue with my ISP to see if they have updated router or firmware available.

Trouble ticket sent to the TDS ISP resulted in a support call where the support engineer disclaimed “advanced” use of network configurations. Suggested I try configuring a machine on the DMZ, which almost sounds reasonable. Tested it out today but since it is really still going through the same router, I got the same result: ping/traceroute/nslookups get stuck in the router and timeout after 3 seconds, as shown above in this thread.

So, I’m inclined to note the ActionTec T3200M as “NOT COMPATIBLE” with 1.1.1.1

One more kink, though: using an Android phone with the 1.1.1.1 app, WiFi only going through the same router, phone data turned off, successfully connects to 1.1.1.1 – how can a phone app bypass my broken router!!! Turning off the 1.1.1.1 app on the phone results in the expected “The site can’t be reached” https://1.1.1.1 is unreachable. So the 1.1.1.1 app is doing some kind of routing around the broken router.

Because it’s a VPN and not connecting to 1.1.1.1 to establish the VPN connection. A VPN is needed to use 1.1.1.1 as DNS server on mobile networks, because you can’t change them on your own.

Update your firmware.

Reference: (referring back to this thread :rofl:)

1 Like

Update: I posted a request to TDS tp be notified when the v11 update was available and TDS scheduled an onsite with a technician. After reviewing the situation, we concluded the v11 update was still in an interim state (and previous versions had knocked out the TDSTV portions of the router) so being the Friday before a bowl weekend, elected to hold off. Central office support claims version 12 is likely to be available in a matter of weeks and worth waiting for. Version 12 should be an “over the air” overnight update not requiring onsite service.

This has prio 1! Absolutely… :sweat_smile::wink:

I’m a bit late to this party, but I found a solution and am documenting it here in case you have an Actiontec T3200 router and can’t wait the two decades for your ISP to update its firmware. The problem is that the Actiontec router is configured to route all 1.x.x.x addresses to itself, which means no traffic to any 1.x.x.x address will leave the router. You can add a static routing entry to override this.

  • Go to your router’s interface > Status > Routing Table
  • Find the line for destination 0.0.0.0, netmask 0.0.0.0, and note the gateway IP (you will notice another line for destination 1.0.0.0, mask 255.0.0.0 is being routed to gateway 0.0.0.0, which is the cause of the problem)
  • Go to ARP Table
  • Find the line corresponding to the gateway IP you noted, and note the device (e.g. for me it’s “ptm0.1”)
  • Go to Advanced Setup > Static Routing
  • Enter destination 1.0.0.0, mask 255.0.0.0, gateway IP from above, interface device from above
1 Like

Sunuvagun! It didn’t dawn on me that an additional route would override the internal routes.But it did!

I have access to 1.1.1.1 now, and set up my PiHole to process DNS-over-HTTPS. Cool!

Thank you!

@majaro3685 - You were not kidding about waiting two decades for my ISP (TDS) to update its firmware. Thankfully your solution worked perfectly.