Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

Issue

DNS queries on home network suddenly resolving hosts to 104.239.207.44.

Symptoms

You will see SPORADIC mis-resolutions of EVERYTHING to that 104.239.207.44 address if their crappy router happens to hear your PC's DHCP request - EVEN IF ANOTHER DHCP SERVER ON THE NETWORK assigns the ultimate address.

Do an IPCONFIG /ALL on the PC in question, and look carefully only at the DNS SERVER line....and note it is wrongfully THE ATT ROUTER (192.168.1.254 in my case)!.  In almost every case, simply preforming a IPCONFIG /RENEW right there and again performing the /ALL, will then correctly show that YOUR DHCP SERVER'S ASSIGNED DNS SERVER is now listed.

Cause

Now, what REALLY took friggin digging including phone calls to finally find an engineer to let the cat out of the bag is why the "104.239.207.44" address?  Where is that coming from?

So my bet is you also don't know that by default AT&T has taken upon itself to forcibly inject it's own DNS server (as the router) with the latest round of firmware and unless you TAKE ACTION TO OPT-OUT, will intercept your DNS queries via new changes in router firmware pushing out the router as DNS server.

AT&T's VERY HIDDEN "helper" redirection for DNS that YOU MUST OPT-OUT of is named "DNS Error Assist" which causes this unwanted behavior.

Solution

Here is how to disable AT&T's "DNS Error Assist" service on your account. 

NOTE, this does NOT fix the recent router firmware issues that also re-enabled IPv6 without notifications that is also allowing THEIR ROUTER to continue to hand-out DNS even when you set a single IP pool range for DHCP with a non-existent reservation (which should in effect kill all DHCP on their router from handing out ANYTHING). This appears to be a firmware issue with no known current workarounds other than to take precautionary measures to ensure your DHCP replies first.

  1. Navigate to att.com and in the upper-right LOGIN
  2. Click YOUR NAME, then VIEW PROFILE
  3. Click "Communication preferences".
  4. Click "Privacy Settings".
  5. Click "DNS Error Assist " and FRIGGIN CLICK OPT-OUT!!  This is what is redirecting (via the router) your DNS queries ACTIVELY TO THEIR SERVER (104.239.207.44 is an AT&T address via Rackspace).

(OPTIONAL):  While there, you may also choose to click "External Marketing & Analytics Reports", "Relevant Advertising", and "Enhanced Relevant Advertising" and also OPT-OUT of all of those that they also DO NOT TELL YOU THAT YOU HAVE ENABLED ON YOUR ACCOUNT.

Note this is actually a per-use back-end server setting and as you will see the DNS setting says it can take up to 24hrs whereas the more "typical" privacy crap of the advertising etc. will tell you up to a week to be effective, further supporting that the "DNS error assist" is an infrastructure-based setting being pushed to your router that they not only know they have recently put into place, but have the ability to disable.

@kingsloi

This comment has been minimized.

Copy link

@kingsloi kingsloi commented Dec 5, 2019

thanks! Was testing cURLing to a bad URL, hoping to test an exception but kept getting DNS Error Assist page which returns a 200/OK, when it shouldn't work at all, applied it and it works a treat!

Here's the URL with the settings to save a few clicks

https://cprodx.att.com/cmp/cmpportal/

@sourcerose

This comment has been minimized.

Copy link

@sourcerose sourcerose commented Mar 24, 2020

My friend was having this issue. Why would AT&T even do something like this. To track you?

@kingsloi

This comment has been minimized.

Copy link

@kingsloi kingsloi commented Mar 25, 2020

My friend was having this issue. Why would AT&T even do something like this. To track you? @johno1566

Or worse, domain squat! Or, by removing Chrome's ERR_NAME_NOT_RESOLVED error page, and using their own, they can show you their site/ads and get clicks? Either way, it's shady

@chrismessina

This comment has been minimized.

Copy link

@chrismessina chrismessina commented Jun 1, 2020

Also, if you're on a Mac, you can change your DNS settings under System Preferences › Network to use Google Public DNS or Cloudflare DNS.

CleanShot 2020-06-01 at 11 55 46

@brbeaird

This comment has been minimized.

Copy link

@brbeaird brbeaird commented Jun 10, 2020

Opting out of the preference does not work for me. I waited a week and tried a hard modem reset. AT&T support finally got back to me and said my particular modem (BGW 210) does not currently support the opt-out command. This is giving me all kinds of headaches working from home over VPN. For now, I have manual DNS settings on my machine, but I still run into weird issues sometimes. Really wish there was a way I could totally disable this awful setting.

@chrismessina

This comment has been minimized.

Copy link

@chrismessina chrismessina commented Jun 11, 2020

Wow, yuck! Is that the case even if you change your system's DNS?

@jamshid

This comment has been minimized.

Copy link

@jamshid jamshid commented Jun 15, 2020

Thanks @brbeaird I also have the Motorola BGW210-700 and have been trying to figure out why turning off DNS Error Assist does not work.
Does ATT have any plans to fix this, do you happen to have a direct line to complain?
Can anyone recommend an alternative modem?

@brbeaird

This comment has been minimized.

Copy link

@brbeaird brbeaird commented Jun 15, 2020

They did not mention any specific plans to fix it. They said the Pace modem supposedly works; I used to have that model but replaced it because it had other issues for me.

I originally tried taking this through their support but always just got a response like "I will take this to higher level support and let you know" without ever getting follow-up. I eventually tried Twitter and did finally get someone who called me and told me the BGW210 just does not allow opting out.

If I manually set my system's DNS to something like one of the public DNS servers, it does seem to work to get around the DNS error assist garbage, but that's super tedious and is not practical to do for every device on my network.

@chrismessina

This comment has been minimized.

Copy link

@chrismessina chrismessina commented Jun 15, 2020

If I manually set my system's DNS to something like one of the public DNS servers, it does seem to work to get around the DNS error assist garbage, but that's super tedious and is not practical to do for every device on my network.

I connect my AT&T router to a downstream Airport Extreme (could be any other router that allows you to configure your DNS) and it'll override the AT&T router's DNS settings. That way you don't need to configure every one of your devices.

@sourcerose

This comment has been minimized.

Copy link

@sourcerose sourcerose commented Jun 17, 2020

@AndyRH1701

This comment has been minimized.

Copy link

@AndyRH1701 AndyRH1701 commented Jun 19, 2020

YMMV
I double NAT, the inside router does masquerade on port 53 (DNS) to my pi-hole servers that do DoH to CloudFlare. 53 never makes it to the ATT router in my "DMZ". Also handy in stopping other DNS abuses by IoT devices.

@nathan-alden-sr

This comment has been minimized.

Copy link

@nathan-alden-sr nathan-alden-sr commented Jun 24, 2020

Is anyone else seeing this? It appears as though AT&T disallows opt out:

image

Also, the other privacy settings conveniently return an "error" when I attempt to opt out of them, or simply can't be opted out of at all:

image

@nathan-alden-sr

This comment has been minimized.

Copy link

@nathan-alden-sr nathan-alden-sr commented Jun 24, 2020

For the failing request, the website is attempting to POST to this URL: https://cprodx.att.com/cmp/restservices/CMP/v1/services/updateConsentExceptFCC. The response is a 200 with this content: {"statusCode":0,"status":null}.

@aaronp24

This comment has been minimized.

Copy link

@aaronp24 aaronp24 commented Jun 29, 2020

I've tried disabling this several times. Sometimes I see this error, sometimes I see a slider labeled U_BANS and sometimes I see a slider with the proper label. Toggling it off does absolutely nothing, AT&T continues to hijack invalid DNS names no matter what I set it to.

@dominicx254

This comment has been minimized.

Copy link

@dominicx254 dominicx254 commented Jun 30, 2020

Yeah... I can't make the changes either. Thanks for the Mac Settings... I'm new to a Mac, so I don't know if it will work.

@ksylvan

This comment has been minimized.

Copy link

@ksylvan ksylvan commented Oct 4, 2020

This saved me a bunch of time and also made me aware of these evil settings. Thanks!

@mstevetodd

This comment has been minimized.

Copy link

@mstevetodd mstevetodd commented Oct 21, 2020

Thank you for posting this. Was a real nuisance using my company vpn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.