
AT&T updates firmware to block access to 1.1.1.1 - antoinefink
https://www.dslreports.com/forum/r31901625-New-BGW-210-700-Firmware-1-5-11
======
jaas
I'd say there is a 98% chance this is a bug in some firmware and a 2% chance
AT&T is intentionally trying to block Cloudflare DNS.

I get why people are paranoid about ISPs blocking content and net neutrality,
but let's not cry wolf prematurely. The technical details here strongly
suggest a bug rather than intentional blocking of 1.1.1.1 DNS traffic.

~~~
jjeaff
Then the odds appear to not be in our favor.

CF CEO tweets that 1.0.0.1 is also blocked.

[https://twitter.com/eastdakota/status/991718955021623296](https://twitter.com/eastdakota/status/991718955021623296)

Others have confirmed that the ipv6 address belonging to CF appears to be
blocked.

~~~
samstave
Just curious - can cloudflare blackhole all of Att traffic?

~~~
BlueGh0st
Could they physically? Yes. But they'd be screwing over their own customers
who rely on that traffic.

~~~
stingraycharles
Isn’t AT&T screwing their own customers by blocking 1.1.1.1 as well ?

~~~
tekknik
AT&T isn’t blocking 1.1.1.1, just tested it on my uverse connection. As much
as I hate AT&T their internet is pretty solid with the exception of datacaps

------
mabbo
I wonder if anyone has considered some sort of legislation whereby internet
service providers are not allowed to block or disrupt service to certain parts
of the internet in order to promote their own business model.

~~~
bb88
The argument I've made is that if they're blocking certain parts of the
internet, then they shouldn't be allowed to call themselves an Internet
Service Provider.

~~~
sjm-lbm
I've made this argument before (and it does make some sense), but I also doubt
that enough people will understand this nuance for it to really matter.

~~~
raquo
Maybe not-really-ISPs should be made ineligible for certain privileges /
rights given to real ISPs. Like not-really-doctors can't do everything that
real doctors can (grasping for a better analogy).

~~~
ForHackernews
Other entities could punish them by revoking peering agreements. Or if
CloudFlare wanted to play hardball, they could deny access to their CDN from
AT&T IP ranges. That would be punishing AT&T customers further, but it would
get their attention quickly and they'd complain to their ISP.

~~~
colechristensen
It would also be punishing CloudFlare customers quite a lot.

Taking a moral stand is honorable, but using your customers to do it isn't.

------
AgentK20
Cloudflare's CEO confirms:
[https://twitter.com/eastdakota/status/991718955021623296](https://twitter.com/eastdakota/status/991718955021623296)

~~~
noobermin
How is this not illegal?

~~~
bb88
Because as it stands right now, AT&T sells you access to their network. What
happens on their network is for AT&T to decide. With the FCC striking down net
neutrality [1], AT&T is probably testing out the waters.

[1] According to google, it's defined as:

"the principle that Internet service providers should enable access to all
content and applications regardless of the source, and without favoring or
blocking particular products or websites."

~~~
stefan_
If you can construe some horizontal where Cloudflare and AT&T are competitors
it could of course still be illegal for AT&T to block the others services
simply under antitrust law.

~~~
jjeaff
I'm sure ATT has cdn or similar services.

------
netsec_burn
This isn't malice. AT&T has an internal IP they assigned to 1.1.1.1 because it
was unused and they used it as an image caching proxy so it browsing the
internet would feel faster on early phones. I've seen it when I was reverse
engineering on Android a while back.

~~~
masklinn
So it's not just malice but doubly so: they used an IP they didn't have the
rights to _and_ they're now blocking proper users of it.

~~~
netsec_burn
They used an IP that was originally reserved for what reserved IP's are used
for. Now that Cloudflare convinced 1.1.1.1 to be released, I'm sure AT&T wants
service continuity and had to make this decision, which is well within their
rights as an ISP. I dislike AT&T so if this was entirely opinion-based, I
would be against them here. But this is a knee-jerk reaction to a well
justified decision.

~~~
qmarchi
Except that it wasn't classified as a private IP address. They should've use
something like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.

The 1.0.0.0/8 range was owned by IANA from _1981_ up until 2010, when it was
transfered to APNIC. (The 2.0.0.0/8 range was also owned by IANA until 2010,
thentransfered to RIPE NCC).

If you want to get technical, use of the space could be construed as theft.

As for the continuity issue, it was stated that it was an old device, so they
have no responsibility to continue supporting it, and considering the age of
the device in question, it may not be able to connect to the existing network.

~~~
nickysielicki
They should be using 100.64/10

[https://tools.ietf.org/html/rfc6598](https://tools.ietf.org/html/rfc6598)

------
mstaoru
Shanghai. One of the largest Chinese data-centers with direct peering to all
major national networks. I'm inside, testing a new colocation unit we just put
there. Pinging 1.1.1.1 in 4.2ms, wow! Putting it in resolv.conf. Nothing
works. WTF? Turns out they route 1.1.1.1 across the whole DC to one of their
internal services "for engineers' convenience". Not gonna change. TIC.

------
xtf
From
[https://en.wikipedia.org/wiki/1.1.1.1#Criticism_and_problems](https://en.wikipedia.org/wiki/1.1.1.1#Criticism_and_problems)
:

Technological websites noted that by using 1.1.1.1 as the IP address for their
service, Cloudflare created problems with existing setups. While 1.1.1.1 was
not a reserved IP address, it was and is used by many existing routers (mostly
those sold by Cisco Systems) and companies for hosting login pages to private
networks, exit pages or other purposes, rendering the use of 1.1.1.1 as a
manually configured DNS server impossible on those systems. Additionally,
1.1.1.1 is blocked on many networks and by multiple ISPs because the
simplicity of the address means that it was previously often used for testing
purposes and not legitimate use. These previous uses has lead to a huge influx
of "garbage" data to Cloudflare's servers.

~~~
rbanffy
What kind of demented person uses 1.1.1.1, a routable public address since
2010, for internal addresses. What's wrong with 10.0.0.0/8 or 192.168/16?

~~~
jdironman
I'm gonna guess they valued the aesthetics over the problems / conditions.

~~~
slenk
10.10.10.10?

~~~
rbanffy
10.11.11.10?

~~~
jdironman
10.00.00.01?

------
techjuice
I always thought it was strange to see the example loopback address listed as
1.1.1.1 or 1.xxx.xxx.xxx in many of tutorials and official network
certification guides and why they did not use a private. This is more than
likely why many users are having problems because they are being routed to a
loopback address on their router or another router. Hopefully network admins
and engineers will choose a non public ip space as their loopback address to
resolve the problem.

~~~
codetrotter
Indeed. I wish most people used TEST-NET-1, TEST-NET-2 and TEST-NET-3 in
documentation and training material.

RFC 5735:

> 192.0.2.0/24 - This block is assigned as "TEST-NET-1" for use in
> documentation and example code. It is often used in conjunction with domain
> names example.com or example.net in vendor and protocol documentation. As
> described in RFC5737, addresses within this block do not legitimately appear
> on the public Internet and can be used without any coordination with IANA or
> an Internet registry.

> 198.51.100.0/24 - This block is assigned as "TEST-NET-2" for use in
> documentation and example code. It is often used in conjunction with domain
> names example.com or example.net in vendor and protocol documentation. As
> described in RFC5737, addresses within this block do not legitimately appear
> on the public Internet and can be used without any coordination with IANA or
> an Internet registry.

> 203.0.113.0/24 - This block is assigned as "TEST-NET-3" for use in
> documentation and example code. It is often used in conjunction with domain
> names example.com or example.net in vendor and protocol documentation. As
> described in RFC5737, addresses within this block do not legitimately appear
> on the public Internet and can be used without any coordination with IANA or
> an Internet registry.

[https://tools.ietf.org/html/rfc5735](https://tools.ietf.org/html/rfc5735)

------
fastball
That's so crazy, I actually experienced this today.

I've been using 1.1.1.1, and today went to the library for a quick work break.
I pulled out my laptop and tried to connect to the wifi, and it wasn't
working. After a few minutes of troubleshooting, I tried deleting my custom
DNS entry in my network settings and that did the trick.

I guess the library uses AT&T routers.

~~~
j605
No, they use that for captive portals or broadcasts.

~~~
icelancer
Exactly. This is why 1.1.1.1 won't work on Airplane WiFi either.

------
bvinc
How are they going to spy on your DNS traffic and sell it to advertisers after
you secure it?

~~~
ddtaylor
For most people who aren't configuring DNSec or TLS can't the ISP still see
all of the plain-text domain names in port 53 traffic?

~~~
tptacek
DNSSEC doesn’t encrypt DNS traffic; it only signs it.

~~~
ddtaylor
Derp, good point.

------
chrissnell
Some folks use a Ubiquiti EdgeRouter and a user-space proxy to forward EAP
(authentication) packets to the AT&T router but otherwise use the EdgeRouter
to route LAN traffic out to the ONT (fiber to Ethernet translator) and the
internet, thus bypassing the shitty AT&T router for most stuff. This would be
sufficient to ensure that 1.1.1.1 is reachable.

It's not a good solution for me, however, because I run PFSense, which is
FreeBSD-based and lacks the PF_RING socket support to filter out those EAP
packets. As far as I know, PFSense's PF packet filter cannot strain them out,
either. Traditional libpcap is available on FreeBSD (slow) and netmap (fast),
too. I looked into writing an EAP proxy in Go using a special netmap-enabled
libpcap but it was way too much yak shaving and I eventually gave up. I should
take another look, or maybe learn enough C to do it natively with netmap. My
goal is native EAP proxy support for PFSense that can support filtering EAP
out of a wirespeed gigabit fiber connection.

------
tuna-piano
Here is the original Cloudflare post on what 1.1.1.1 is [1]. For those who
don't know, 1.1.1.1 is Cloudflare's privacy focused DNS service. That means
that when you type in www.google.com, that URL can be sent to 1.1.1.1, and
then 1.1.1.1 resolves that URL an IP address and send the IP back to the user.
All user requests are then sent to the IP address, not the URL. Supposedly
this is better than using the DNS server of ATT+Comcast, because ATT+Comcast
want your browsing history while Cloudflare does not.

What I don't understand is how this really helps user privacy much. If AT&T,
Comcast, etc want to know your browsing habits, can't they still see the IP
addresses you're browsing and figure out the URL from the IPs? I can't see
that as too big an impediment, but maybe someone with more knowledge can
share.

[1]
[https://blog.cloudflare.com/announcing-1111/](https://blog.cloudflare.com/announcing-1111/)

~~~
ben174
Got a link to the original hacker news article by chance? I’d like to see the
comments

~~~
jessaustin
Use the search at the bottom of this page:

[https://hn.algolia.com/?query=announcing%201111&type=story](https://hn.algolia.com/?query=announcing%201111&type=story)

------
js2
This is likely due to incompetence, not malice.

FWIW, it’s possible to bypass AT&T’s router:

[https://github.com/jaysoffian/eap_proxy](https://github.com/jaysoffian/eap_proxy)

That said, I tried 1.1.1.1 and found I had to switch back to Google DNS since
Cloudflare intentionally doesn’t support EDNS Client Subnet which was causing
my AppleTV’s to have trouble loading content.

~~~
ReverseCold
I don't know much about networking, but I do have that router. Can you please
explain what this does/why someone would want this?

~~~
js2
It allows you to completely bypass AT&T's router, so you can use your own
router talking directly to the ONT. The AT&T router is then necessary only to
authenticate to the ONT. So the proxy, running on your own router, sends
authentication packets (and their responses) from the ONT to the AT&T router,
but otherwise the AT&T router isn't handling any packets.

------
sxates
Does this just apply to setting the default DNS on the router, or are the
blocking traffic to 1.1.1.1 from any device connected to it?

~~~
ReverseCold
I'm on ATT right now and I can't go to [https://1.1.1.1](https://1.1.1.1)
right now.

It works fine when I disable WiFi on my phone (Verizon).

~~~
city41
I have AT&T internet and also can't get to [http://1.1.1.1](http://1.1.1.1).
but I can on my phone using AT&T's cellular service. Apparently not all of
AT&T dislikes CloudFlare.

------
kev009
Knowing how bad most telco networks are operated, I blithely wonder if maybe
they were using stuff in 1./8 as PNI or some other privileged internal net and
are going through some oh shit moments.

Hanlon's razor as lots of DNS services are available on not as vanity IP
space, and there is no evidence of blockage.

------
sitepodmatt
It shocks me that there are no AT&T network/sysadmins at the right level and
department on this forum that don't cringe in shame and sort this out.

~~~
gk1
I'm certain there are, but AT&T is a 250,000-person organization with a
bureaucracy to match. Things take weeks to sort out, assuming the right person
is pushing for it.

------
pedrosanta
I would cancel any broadband contract of any ISP that did this when providing
me a service. We need to stand up to these sort of things. (Disclaimer: I live
in Europe though.)

~~~
justherefortart
You wouldn't when you don't have a better alternative.

------
jedberg
My guess is this is just incompetence and not intentionally made to block
CloudFlare.

I have one of those routers, and I couldn't use 1.1.1.1 because it was routing
to an internal interface on the router. I confirmed this with ping, I was
getting microsecond response times from 1.1.1.1.

Under the new firmware, 1.1.1.1 is just dead. So it's probably still connected
to the local interface, and nothing is listening.

~~~
alex_young
They started blocking 1.0.0.1 and CF ipv6 DNS too. This has to be intentional.

~~~
jedberg
Hmmm that's a fair point. But then why not also block 8.8.8.8?

~~~
stonemetal
Everyone has heard of google, attacking them would cause back lash. Non
technical people haven't heard of cloudflare so it is a softer target.

------
PinkMilkshake
This is going to reveal my lack of networking knowledge but how does a company
get an IP like 1.1.1.1? A bucket load of cash?

~~~
y2kenny
Help from / collaboration with APNIC:

[https://blog.cloudflare.com/announcing-1111/](https://blog.cloudflare.com/announcing-1111/)

~~~
utefan001
Geoff Huston is the chief scientist at APNIC. I highly recommend checking out
some of his talks on yourtube.

------
taf2
I’m on at&t lte and this is working just fine... is this a broad band provider
thing?

~~~
city41
I have AT&T LTE on my phone and AT&T DSL at home. I can't get on 1.1.1.1 via
DSL, but can via LTE.

------
Abishek_Muthian
Anyone else facing such issues with their ISP for 1.1.1.1 ?

Cloudflare DNS seems to be down for couple of major ISP's in India as well
according to CF forums -

[ACT] [https://community.cloudflare.com/t/cloudfare-dns-blocked-
wit...](https://community.cloudflare.com/t/cloudfare-dns-blocked-with-act-isp-
in-india/16916/10)

[Airtel] [https://community.cloudflare.com/t/cloudflare-dns-not-
workin...](https://community.cloudflare.com/t/cloudflare-dns-not-working-in-
india-isp-airtel-may-have-blocked-it/16419)

~~~
NoCFHere
I'm on comcast and can't seem to ping em.

------
thetwentyone
FWIW as an ATT Fiber customer, I was not able to (and am still not able to)
access 1.1.1.1. I tried just a couple days after Cloudflare announced the
service, and requests timed out. I can access with a VPN, however.

------
johnvega
If at&t does not provide any official explanation, what's your opinion on how
people should respond. The first thing that came to mind for me is to switch
over to Xfinity on my next contract cycle.

~~~
mr_spothawk
Breaking the contract is a reasonable option, maybe? At scale & among people
who can afford to (ahem, HN) openly refuse I'd argue it could have more
immediate impact.

Frankly, NEVER paying the bill is an option, too. Downloading Netflix is
sweet, maybe you can pool with your neighbor? that's another topic

It's expensive to enforce payment.

If you've never been in collections, it's an experience you might enjoy for
sport.

If you live in fear of not being able to get a cheap interest rate on a loan
for some shit you don't need... well, maybe you'd better not take part in that
type of protest.

------
cottsak
More solid advice regarding home internet/ISP routers:
[https://www.tomsguide.com/us/home-router-
security,news-19245...](https://www.tomsguide.com/us/home-router-
security,news-19245.html)

Try to avoid the cheap bundled cable/fibre/DSL routers that ISPs "throw in"
with their plans/packages.

Disable the remote management/update/TR-069/CWMP/SSH/etc if you can. You don't
wanna trust someone else to secure your home.

------
walrus01
There are an astonishing number of corporate end users also using "unused"
chunks /8 sized of IP space internally. As if rfc1918 wasn't big enough.

------
cottsak
How is the ISP performing this remote update? Is it TR-069/CWMP or an open SSH
port or something? Many routers will allow the user to disable TR-069 even
while it's running. Often a hardware reset will also disable it and then the
user can put the manufactures update on it and prevent the ISP from managing
it in the future. If it's an open SSH port then we all have bigger problems.

~~~
sean8102
AT&T's internet service requires you to use one of THEIR "gateways". Which is
a combination modem and wireless router. When AT&T wants a new gateway they go
to a company (mainly Arris now) and have them build a gateway that will only
be for AT&T to deploy . AT&T completely controls the software/firmware on the
device. There is no site you can go to and download a "manufacturer" firmware.
Even if you could it wouldn't accept it because it wouldn't be signed by AT&T.
And yes AT&T uses CWMP to remotely manage the gateway. That's how they can
send firmware updates, customer service can retrieve signal stats, remotely
reboot the gateway etc etc. And no they certainly do not put in a option on
the gateway to disable CWMP or any of the remote management stuff they use.

You can turn off the Wi-Fi on AT&T's gateway and run your own router behind
the AT&T hardware. But since your router is behind the gateway everything
still goes through it and AT&T still can do all the CWMP stuff to their
gateway.

------
cottsak
This problem has been around for a while and is pretty serious!
[https://www.routersecurity.org/ISProuters.php](https://www.routersecurity.org/ISProuters.php)

------
jacksmith21006
Is there anyone before Google that went after getting one of these marketing
IPs?

First time I saw it was 8.8.8.8.

I personally had one had in my head from the 80s 128.252.120.1. bit it is
obviously not a special one.

------
arriu
While far from perfect, for anyone looking for a temporary solution, run pi-
hole on a remote server and have it use 1.1.1.1 as its DNS. You'll get the
benefit of pi-hole blocking ads.

------
hamandcheese
I really wish Cloudflare would have used a "normal" IP for their DNS service.
That way there would be no confusion whatsoever as to whether this is
malicious or a bug.

~~~
skrause
1.1.1.1 is a normal IP.

~~~
regecks
> The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and
> 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS
> uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1.

They had acknowledged to themselves going into it that the IPs weren't
"normal". They could have easily chosen a safer range if that was a priority.

~~~
slenk
1.1.1.1 is a normal IP as it was reserved for internet use. There are already
IP ranges that are supposed to be used for internal use, and 1.1.1.1 is not
one of them

~~~
plopz
This whole thing is like the .dev TLD debacle.

------
aosmith
Is there any reason you couldn't just tunnel / proxy your DNS? I know that
isn't an option for most people but I think that would solve the problem.

------
m-p-3
I'm wondering what CloudFlare response will be to this.

------
aosmith
Is this only DSL? I have ATT fiber, no problems here.

~~~
thetwentyone
I experience this on ATT fiber. ping'ing 1.1.1.1 times out.

~~~
aosmith
Woof that sucks. I'm in the Bay Area, where are you?

------
okket
Sure this is intentional? The headline suggests so, otherwise

"AT&T firmware update blocks access to 1.1.1.1"

would be more accurate IMHO.

------
justinzollars
I'm going to ask for a partial refund every month if they are blocking parts
of the internet.

~~~
robin_reala
They’re blocking 1 of 4,294,967,296 addresses, so I guess they’d argue that
your bill should be reduced by 0.000000232%.

------
_bxg1
Jesus Christ. Fortunately I only have AT&T on mobile and it still works there,
but I will ditch them in a heartbeat if that changes. At least in the cellular
space there's still some consumer choice to be had.

------
akshatkedia
1.1.1.1 blocked in India too on BSNL connections.

------
intrasight
As a consumer, you are free to switch to a different provider. I'm not saying
what they're doing is ok, but let's not neglect the opportunity to vote with
our $$$.

~~~
jedberg
Only if you're in the 42% minority of people who have access to more than one
ISP.

------
cabaalis
What is the likelihood of obtaining net neutrality through the courts? I.E.
Cloudflare sues -> judicial process -> decision that establishes a "right to
access"?

~~~
nv-vn
Likely 0% chance. The court cannot just go off and make up its own laws
because it wants to, all it can do is decide how existing laws should be
applied.

~~~
derekp7
It's true that courts can't make laws, but they have shown a lot of leeway in
the past of creatively interpreting laws (i.e., using the Interstate Commerce
clause to say a farmer can't raise a particular crop to feed to his own
animals). Could existing laws that prevent monopolies from unfair business
practices be applied here?

------
JumpCrisscross
What about AT&T's wireless network?

------
cyanbane
Do they block quad9? Although I trust AT&T about as far as I can throw them,
this may just be a bad config/update.

------
ryan-c
Late to the party, but here's some traceroutes run from AT&T Gigapower with
their router _entirely_ bypassed via an 802.1x MitM:

    
    
        # traceroute 1.0.0.1
        traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
         1  45-18-124-1.lightspeed.austtx.sbcglobal.net (45.18.124.1)  59.462 ms  61.348 ms  63.373 ms
         2  71.149.77.208 (71.149.77.208)  1.304 ms  1.695 ms  1.957 ms
         3  75.8.128.136 (75.8.128.136)  1.329 ms  1.682 ms  1.393 ms
         4  12.83.68.145 (12.83.68.145)  2.673 ms  2.661 ms  2.648 ms
         5  12.123.18.233 (12.123.18.233)  8.877 ms  12.753 ms  8.800 ms
         6  192.205.36.206 (192.205.36.206)  6.663 ms  6.375 ms  6.680 ms
         7  66.110.56.158 (66.110.56.158)  6.885 ms  6.725 ms  6.436 ms
         8  1dot1dot1dot1.cloudflare-dns.com (1.0.0.1)  6.855 ms  6.557 ms  6.662 ms
    
        # traceroute 1.1.1.1
        traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
         1  45-18-124-1.lightspeed.austtx.sbcglobal.net (45.18.124.1)  163.322 ms  163.927 ms  174.243 ms
         2  71.149.77.208 (71.149.77.208)  1.346 ms  1.779 ms  2.035 ms
         3  75.8.128.136 (75.8.128.136)  1.215 ms  1.214 ms  1.564 ms
         4  12.83.68.137 (12.83.68.137)  1.495 ms 12.83.68.145 (12.83.68.145)  2.289 ms 12.83.68.137 (12.83.68.137) 2.283 ms
         5  12.123.18.233 (12.123.18.233)  7.783 ms  11.766 ms  11.757 ms
         6  192.205.36.206 (192.205.36.206)  6.163 ms  6.160 ms  6.202 ms
         7  66.110.56.158 (66.110.56.158)  6.909 ms  6.931 ms  6.423 ms
         8  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  6.922 ms  6.492 ms  7.075 ms
    
        ; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> cloudflare.com @1.1.1.1
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15100
        ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1536
        ;; QUESTION SECTION:
        ;cloudflare.com.			IN	A
        
        ;; ANSWER SECTION:
        cloudflare.com.		53	IN	A	198.41.214.162
        cloudflare.com.		53	IN	A	198.41.215.162
        
        ;; Query time: 7 msec
        ;; SERVER: 1.1.1.1#53(1.1.1.1)
        ;; WHEN: Thu May 03 13:40:52 UTC 2018
        ;; MSG SIZE  rcvd: 75
    
        ; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> cloudflare.com @1.0.0.1
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61685
        ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1536
        ;; QUESTION SECTION:
        ;cloudflare.com.			IN	A
        
        ;; ANSWER SECTION:
        cloudflare.com.		66	IN	A	198.41.214.162
        cloudflare.com.		66	IN	A	198.41.215.162
        
        ;; Query time: 7 msec
        ;; SERVER: 1.0.0.1#53(1.0.0.1)
        ;; WHEN: Thu May 03 13:40:39 UTC 2018
        ;; MSG SIZE  rcvd: 75
    

I'm not going to paste the output, but `curl
[https://1.1.1.1/`](https://1.1.1.1/`) works as well.

Doesn't look like it's anything onn AT&T's internal network.

~~~
criddell
I have AT&T Gigapower as well (I'm also in Austin). Can you give a description
of the 802.1x bypass? What's the advantage?

~~~
ryan-c
See [http://www.dslreports.com/forum/r30708210-AT-T-
Residential-G...](http://www.dslreports.com/forum/r30708210-AT-T-Residential-
Gateway-Bypass-True-bridge-mode)

You can also do essentially the same thing with a userspace 802.1x proxy like
this one:
[https://github.com/SeanMollet/1x_prox](https://github.com/SeanMollet/1x_prox)

Bypassing the router ensures that stupid router firmware does not do stupid
things to my packets, such as special handling of public IPs.

------
waldbeere
hong-kong airport free Wifi 1.1.1.1 not works with this DNS

------
exabrial
File FCC complaints! This sorry if thing will definitely get a response.

~~~
twexler
No it won't. The FCC doesn't work for the the citizenry anymore, just for
lobbyists.

~~~
exabrial
I find the sappy, defeatest, whiney attitude with the FCC useless. File them
if you're affected. They're cataloged and can be used as evidence in the
future. The current administration is certainly against regulation, but
blocking a DNS provider is an escalation. More than likely, this block is due
to incompetence. My guess is ATT was using the IP internally for some purpose
and is now getting DDOS'd.

------
mdip
I'll go on record as saying I am an ardent _hater_ of U-Verse and AT&T due to
personal experience with their service and would like nothing more than for
this to be a purposeful act that would result in backlash on that company...

... that said, I'm going to fall in the camp of stating that this is likely an
unintentional bug. If they truly wanted to block 1.1.1.1 (and it's backup),
doing so via firmware would seem to be the most difficult and unreliable way
of doing so. The benefits of doing so are also limited: (a) If the motivation
was to avoid losing the ability to spy on their customers via DNS requests,
well ... they can still do that. Yes, Cloudflare supports encrypted DNS, but
the half of one percent of folks who have this set up wouldn't be worth the
effort[0]. (b) If there was some _other_ reason to want customers using their
DNS (i.e. redirection to advertising pages when lookup fails), they could
simply do packet rewrites (of non-encrypted DNS lookups) to send them over to
AT&Ts infrastructure -- the benefit of doing this is that it would be more
likely to go unnoticed[1]. (c) There have been several _other_ , far more
popular and just as well publicized public DNS services that they haven't
messed with -- why pick on a new entrant -- why not break 8.8.8.8 or OpenDNS?

More likely is the explanation that 1.1.1.1 was being used as a defact-o
10.x.x.x address for other purposes. It had a few benefits -- it was far less
likely to be used as an internal address for customers (being ... _not_ a
traditional non-routable address) and up until recently, it was unlikely to be
used for legitimate services. Or ... it's something else. Firmware bugs are
_everywhere_ and having had their service and the particular brand of modem
they're using, I'm not the least bit surprised. I had to root my modem to make
my service work reliably[2]. Heck, I worked for a telecom for 17 years, and
the first half of that, the guy who set our network up used 1-10.x.x.x as
internal addresses.

[0] It's not terribly difficult to do, but few take the effort. I've got an
internal DNS server configured (for AD purposes) which forwards to another
internal DNS server that makes all DNS requests out to cloudflare via
encrypted DNS. It was a 5 minute change to my internal setup, a lot of which
was the time it took to download the container, reboot the host for testing
purposes and validation of everything.

[1] It probably would have managed to be hidden an entire _minute_ longer than
this debacle.

[2] On their DSL (re-labeled U-Verse despite it having nothing to do with
their U-Verse TV/Internet -- it's the _old_ DSL limited to 12Mb down _if you
're lucky_), my modem would randomly display the "Internet is down" page for
all requests despite everything being fine. I forgot, exactly, what I had to
do to resolve it, but it required hitting their ping page to trigger a buffer
overflow, allowing me to get console access and running some command. I also
wanted to be able to ping the modem remotely (something they disable with no
customer-facing option to correct) to correlate it with weather so as to prove
to customer service (...and at least a little to myself) that this bizarre
happenstance wasn't all in my head. My next-door neighbors also had this
problem, so I suspected it was something in the wiring (expansion/contraction-
like) up the street, but it was hard to track down _where_ because all but two
people on that street (including us) used those homes as summer vacation homes
and were rarely there in the winter -- many didn't have service and those who
did were unlikely to be around when the weather hit about 40 degrees, so AT&T
wasn't getting reports of outages in enough frequency to do anything about it.
Two years ago, they sent a truck, took everyone down and re-did a pole 8
houses down. Since then, the problem hasn't happened.

------
exabrial
My parent company uses 1.1.1.1 as a captive portal address on the guest
network. Easy to remember, but cloudflare probably needs to stand up some more
conventional DNS ips.

~~~
Klathmon
No your parent company needs to stop abusing that IP.

Cloudflare is using a conventional IP, you are the one that isn't.

~~~
exabrial
I wasn't disagreeing...? They're using an IP that wasn't assigned by IANA.

~~~
fuzzy2
What exactly do you mean by “wasn’t assigned”? According to this article [1],
1/8 was reserved in 1981. Only from 2008 to 2010 was 1.1.1.0/24 ever truly
unallocated.

If, after 8 years, most providers still haven’t moved to either private
networks or officially assigned networks, honestly – they suck.

[1]: [https://labs.ripe.net/Members/franz/content-
pollution-18](https://labs.ripe.net/Members/franz/content-pollution-18)

------
dingo_bat
Good. If cloud fare is allowed to block sites from their hosting service based
on opinions, then att should be allowed to do the same. Also fuck cloud fare
for choosing 1.1.1.1 when any network engineer worth his salt would have told
them it's going to cause problems. There are things like conventions and
traditions, you break them at your own peril.

~~~
24gttghh
>APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the
addresses were valid, so many people had entered them into various random
systems that they were continuously overwhelmed by a flood of garbage traffic.
APNIC wanted to study this garbage traffic but any time they'd tried to
announce the IPs, the flood would overwhelm any conventional network.

>We talked to the APNIC team about how we wanted to create a privacy-first,
extremely fast DNS system. They thought it was a laudable goal. We offered
Cloudflare's network to receive and study the garbage traffic in exchange for
being able to offer a DNS resolver on the memorable IPs. And, with that,
1.1.1.1 was born.[0]

[0][https://blog.cloudflare.com/announcing-1111/](https://blog.cloudflare.com/announcing-1111/)

It's _not_ a reserved address like 192.168.0.0/16 or 10.0.0.0/8[1][2], nor is
it one of the other reserved addresses for documentation or testing. So I
think people using it before as test or LAN addresses are actually in the
wrong here. This kind of "tradition" in networking is wrong. That's what
things like RFC's are for.

[1][https://tools.ietf.org/html/rfc5735](https://tools.ietf.org/html/rfc5735)

[2][https://www.iana.org/assignments/iana-ipv4-special-
registry/...](https://www.iana.org/assignments/iana-ipv4-special-
registry/iana-ipv4-special-registry.xhtml)

~~~
dingo_bat
> It's not a reserved address

I know. That's why I wrote "tradition" instead of the RFC numbers. Way to miss
my point though.

~~~
24gttghh
You seem to miss my point, in that Cloudflare specifically chose that IP in
order to share research data with APNIC regarding people erroneously using
1.1.1.1 in the wild.

Just because something is a tradition doesn't make it a right course of
action.

