AT&T explains why it blocked Cloudflare DNS: It was just an accident
AT&T has been blocking the new Cloudflare DNS service, but AT&T says the blocking was unintentional and that it will fix the problem soon.
The blocking is affecting AT&T home Internet customers who use an AT&T gateway. Cloudflare unveiled its DNS service on April 1, and users in DSLReports forum threads almost immediately started complaining that they couldn't access it. One thread began on April 1, within hours of Cloudflare's announcement.
"I am now unable to reach 18.104.22.168 and 22.214.171.124, which is unfortunate because those are the DNS servers I use," one user wrote.
Other AT&T Internet customers say they were able to use Cloudflare's DNS temporarily, and then they received a firmware update that blocked Cloudflare DNS. Some users said the problem occurred after a firmware update to AT&T's Arris BGW210-700 gateway.
"I have a BGW210-700 from AT&T. I was using 126.96.36.199 and 188.8.131.52 without issues until this morning," one user wrote on April 10. "From the logs, it seems AT&T pushed a new firmware down to the device and restarted it remotely. Now, I cannot reach 184.108.40.206 or 220.127.116.11."
"18.104.22.168 was working for me on AT&T after Cloudflare released 22.214.171.124, then shortly after that it ceased working," another AT&T customer wrote this week. "Maybe the firmware update has a bug, but it's very suspiciously timed." In reply to that comment, another user said that "it worked for a day or so and then stopped."
Controversy continued to build this week when Reddit and Hacker News threads pointed to the original complaints and described ongoing problems. On Wednesday, Cloudflare CEO Matthew Prince criticized AT&T and seemed to indicate that he thought the blocking is intentional. AT&T "appear[s] to be actively locking down the past and breaking Internet standards in the process," Prince wrote in a tweet.
Once upon a time @ATTcares used to promise they'd enable the future, so disappointing they now appear to be actively locking down the past and breaking Internet standards in the process. https://t.co/LPPDDtXETs
— Matthew Prince (@eastdakota) May 2, 2018
“Unintentional IP address conflict”
When contacted by Ars, Prince said Cloudflare was still trying to figure out what happened and that he hoped it was just a mistake. Shortly after, an AT&T spokesperson told Ars that the blocking was an accident.
"With the recent launch of Cloudflare's 126.96.36.199 DNS service, we have discovered an unintentional gateway IP address conflict with 1 of their 4 useable IPs and are working to resolve the issue," AT&T told Ars yesterday.
AT&T also told us that most of its customers should be able to access Cloudflare DNS using the alternate 188.8.131.52 address. AT&T didn't say when it will roll out a fix.
Some users confirmed that they could use Cloudflare's 184.108.40.206 address even though 220.127.116.11 wasn't working for them.
Upon hearing AT&T's statement, Prince told Ars that "my hunch is it was unintentional" and that he is glad AT&T is working to resolve it. AT&T didn't tell us how many of its customers were affected, and Prince said he didn't know how many people had the problem.
Cloudflare chose 18.104.22.168 because it wanted a memorable address.
The problem reportedly affects multiple AT&T gateways. One customer ran a traceroute on April 1 and found that AT&T's Arris 5268AC gateway "has been assigned 22.214.171.124 on an internal interface."
Some Cisco equipment apparently does the same; another person writing in a DSLReports forum pointed to years-old support threads showing that Cisco gear was using 126.96.36.199. Such equipment "uses 188.8.131.52 as a virtual IP to redirect to when the device needs to be set up for the first time, or uses it as a captive portal to authenticate guest Wi-Fi, such as in hotels and restaurants and such," the person wrote.
AT&Ts controversial history
There haven't been any recent reports of AT&T blocking other major DNS services.
Although there's reason to think the blocking wasn't intentional, AT&T's public stances on net neutrality and privacy helped make people suspicious about the company's motives. AT&T sued the Federal Communications Commission in 2015 in order to eliminate net neutrality rules that forbid ISPs from blocking or throttling websites and online services.
While AT&T lost that lawsuit, its lobbying helped convince the FCC to ditch the net neutrality rules after Republicans took over the commission majority last year. AT&T claimed during its anti-net neutrality lobbying campaign that it never blocked third-party applications, even though AT&T did block FaceTime on its cellular network in 2012 when users tried to access the application from certain data plans.
Cloudflare pitches 184.108.40.206 as a privacy tool that can help deter ISPs from monitoring one's Internet usage. AT&T lobbied against broadband privacy rules last year, and the company used to charge fiber Internet customers extra for privacy. AT&T fiber customers who did not opt in to a traffic scanning system that analyzed Internet usage in order to deliver personalized ads had to pay at least $29 more per month than customers who consented to the scanning.
AT&T ended the controversial traffic scanning program in September 2016, but it says that it still wants the "flexibility" to expand advertising-focused business models to compete against Facebook, Amazon, and Google.
One AT&T user who couldn't connect to 220.127.116.11 or 18.104.22.168 wrote on April 5 that it "Makes you wonder why AT&T would be continuing to roll this [firmware] out knowing they are blocking DNS servers. I wonder if it's on purpose due to the added privacy offered by 22.214.171.124?"
Other people suspected it was just a mistake.
"This is almost certainly just there to block people who mistakenly paste in an example configuration somewhere," a Hacker News poster speculated. "Also, why on earth would AT&T block 126.96.36.199 and not Google DNS and OpenDNS?"