Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

Issue

DNS queries on home network suddenly resolving hosts to 104.239.207.44.

Symptoms

You will see SPORADIC mis-resolutions of EVERYTHING to that 104.239.207.44 address if their crappy router happens to hear your PC's DHCP request - EVEN IF ANOTHER DHCP SERVER ON THE NETWORK assigns the ultimate address.

Do an IPCONFIG /ALL on the PC in question, and look carefully only at the DNS SERVER line....and note it is wrongfully THE ATT ROUTER (192.168.1.254 in my case)!.  In almost every case, simply preforming a IPCONFIG /RENEW right there and again performing the /ALL, will then correctly show that YOUR DHCP SERVER'S ASSIGNED DNS SERVER is now listed.

Cause

Now, what REALLY took friggin digging including phone calls to finally find an engineer to let the cat out of the bag is why the "104.239.207.44" address?  Where is that coming from?

So my bet is you also don't know that by default AT&T has taken upon itself to forcibly inject it's own DNS server (as the router) with the latest round of firmware and unless you TAKE ACTION TO OPT-OUT, will intercept your DNS queries via new changes in router firmware pushing out the router as DNS server.

AT&T's VERY HIDDEN "helper" redirection for DNS that YOU MUST OPT-OUT of is named "DNS Error Assist" which causes this unwanted behavior.

Solution

Here is how to disable AT&T's "DNS Error Assist" service on your account. 

NOTE, this does NOT fix the recent router firmware issues that also re-enabled IPv6 without notifications that is also allowing THEIR ROUTER to continue to hand-out DNS even when you set a single IP pool range for DHCP with a non-existent reservation (which should in effect kill all DHCP on their router from handing out ANYTHING). This appears to be a firmware issue with no known current workarounds other than to take precautionary measures to ensure your DHCP replies first.

  1. Navigate to att.com and in the upper-right LOGIN
  2. Click YOUR NAME, then VIEW PROFILE
  3. Click "Communication preferences".
  4. Click "Privacy Settings".
  5. Click "DNS Error Assist " and FRIGGIN CLICK OPT-OUT!!  This is what is redirecting (via the router) your DNS queries ACTIVELY TO THEIR SERVER (104.239.207.44 is an AT&T address via Rackspace).

(OPTIONAL):  While there, you may also choose to click "External Marketing & Analytics Reports", "Relevant Advertising", and "Enhanced Relevant Advertising" and also OPT-OUT of all of those that they also DO NOT TELL YOU THAT YOU HAVE ENABLED ON YOUR ACCOUNT.

Note this is actually a per-use back-end server setting and as you will see the DNS setting says it can take up to 24hrs whereas the more "typical" privacy crap of the advertising etc. will tell you up to a week to be effective, further supporting that the "DNS error assist" is an infrastructure-based setting being pushed to your router that they not only know they have recently put into place, but have the ability to disable.

@brendandebeasi
Copy link

For those of you not finding the page directly, all the opt-outs are here:
https://cmp.att.com/cmpportal/

@alice-cash
Copy link

I wish one could PR a gist. @brendandebeasi has the right answer

@jonnyabe
Copy link

You sir, are the friggin man! Been trying to get remote access to Home Assistant for the past week with no luck until now.

@brendandebeasi
Copy link

@jonnyabe Didn't realize this could affect Home Assistant as well! Whew...

@jonnyabe
Copy link

@brendandebeasi Yep! I'm don't claim to be a networking genius, but I thought I was going crazy.

@davidlick
Copy link

THANK YOU. I recently installed a Pi-hole and have had very strange DNS resolutions like https://github.com resolving to 8.8.8.8. No records set up in Pi-hole like that, no DNSMasq customizations, nothing on my router. I've kind of been pulling my hair our about it but this fixed the problem for me!

@nathan-alden-sr
Copy link

nathan-alden-sr commented Nov 1, 2021

BTW, AT&T has apparently fixed their broken opt-outs. I was able to unsubscribe from all marketing and hijacking. The relevant one:

image

Oh, and here's a friendly message from AT&T:

image

They're working hard to protect me. I feel so loved.

@karolisr
Copy link

Here's the URL with the settings to save a few https://cprodx.att.com/cmp/cmpportal

Thank you so much!!! The link still works 2021/11/17

@rockoncali
Copy link

Thanks so much for this!

@Mementh
Copy link

Mementh commented Mar 15, 2022

Sadly no longer working 2022/03/15 with me at least

@brendandebeasi
Copy link

@Mementh
Copy link

Mementh commented Mar 15, 2022

@Mementh The new URL is https://cmp.att.com/cmpportal/

"Our system doesn't seem to be cooperating. Sorry for any inconvenience. Please try again later" :(

@bsanders
Copy link

I got the exact same message today as @Mementh, but I figured out the problem with the help of ATT customer service. TL;DR: use Chromium instead of Firefox

Today the path is:
www.att.com
"Account" / "Sign In"
See Profile (right under your name, just above your "Total Balance"
Scroll down to "Data & Privacy"

"Enhance relevant advertising settings" and "Privacy settings" both lead to the same error message:

Our system doesn't seem to be cooperating. Sorry for any inconvenience. Please try again later

After getting on the embedded chat and then on the phone, we determined that the website works in Chromium, but doesn't in Firefox. No idea why. At that point I was able to get in and disable the DNS hijacking.

@mcmar
Copy link

mcmar commented May 15, 2022

I've followed the instructions providede by @bsanders in both Chrome and Edge on Windows. In both cases, I'm not able to click on either "Enhance relevant advertising settings" or "Privacy settings". In both cases, the page simply loads forever.

I haven't found any solution to disable DNS hijacking as of 2022-05-14.

@bsanders
Copy link

bsanders commented May 16, 2022

Bizarrely, I just tried again on my personal laptop (but at work) from Firefox (v96, running v99 at home). Here it works right away. Now I'm really confused. Running Ubuntu 21.04 on the laptop; KDE Neon (based on Ubuntu 20.04) at home. I'll check again when I get home, but I refreshed the page on Firefox after getting it working on Chrome and it still wasn't working there.

Could it be some kind of flag on the account that CS flipped while talking to me? Could it be the network I was connecting from?

Edit, 5/17/22: it's working from Firefox on my home network now. I'm baffled.

@binodluitel
Copy link

Thanks for the info. It helped me resolve my issue with k3d and docker DNS resolution. Here is the issue and the resolution k3d-io/k3d#1057 (comment)

@rhutch117
Copy link

Just to update, this was still working for me as of 2022-07-5.

@crowlsyong
Copy link

also this

...assuming you don't like being tracked

  1. Click back to your settings page ( for me, it's here: https://cmp.att.com/cmpportal/ )
  2. Relevant Advertising / disable
  3. Enhanced Relevant Advertising / disable
  4. External Marketing & Analytics Reports / disable

I had no idea ATT was collecting 'anonymous data' about me. Definitely going to scour my account settings to turn off all the privacy invasion/trackers that I can find.

@nathan-alden-sr
Copy link

Yes, there now seem to be additional tracking options added.

@saltyollpheist
Copy link

@Mementh The new URL is https://cmp.att.com/cmpportal/

Managed to hunt down and find this manually but just wanted to say as of August 2022, this direct link still works. Thank you everyone.

@jbrown7815
Copy link

jbrown7815 commented Aug 8, 2022

I originally disabled some of this stuff back in March, 2021 as seen above... just decided to look again and ALL 4 were back on... may be worth checking out people! https://cmp.att.com/cmpportal/ is the link. Originally I dont think it was that easy.

4 things you need to disable:

image

@dipique
Copy link

dipique commented Aug 11, 2022

Man this company sucks. Why do ISPs always suck so much.

@VaporLoq
Copy link

Thank you @CollinChaffin and @brendandebeasi !
https://cmp.att.com/cmpportal/ is still valid as of 09/16/2022.

@bmercernccer
Copy link

Generally when tech support people tell you to try a different browser, what you really need to do is clear your browser's cache and cookies, but explaining how to do that is hard, and having you try a different browser is easy, so that's what they tell you to do.

OIt's rarely actually that the browser isn't compatible, it's usually your browser's prior history, cache, cookies, and so forth that cause the problem.

Someone using Chrome can fix the problem by switching to Firefox, and someone using Firefox can fix the same problem by switching to Chrome. Switching to a different browser has the same effect as clearing cache and cookies, it gives you a fresh start.

An easier way to tell if this is the problem is by opening a new private browser window in the same browser. If the problem goes away, then you know it's not the browser's fault.

@csmicfool
Copy link

My hero. This has plagued me for years.

If you get an error disabling it, just refresh your browser and try again (at least that worked for me). UI is garbage.

@nathan-alden-sr
Copy link

nathan-alden-sr commented Oct 27, 2022

If you use a Pi-hole like I do, you can disable the DHCP server on the ARRIS border gateway modem (if that's the model you have), then configure the Pi-hole to answer DHCP queries.

image

This works on the ARRIS BGW210-700 modem.

Note that you will also have to disable IPv6 completely as the way IPv6 works causes DHCP and DNS to not work properly in my experience, at least without a more advanced setup than I have time to create.

@saltyollpheist
Copy link

@nathan-alden-sr
Thank you so much, kind sir! I've been wondering how to go about implementing this setting, and this helped me achieve the result I was after.

@JamesTeague
Copy link

@nathan-alden-sr The note about IPv6 saved me today from a lot of head-banging and hair pulling. Thank you.

@earthsound
Copy link

The URL (and subsequent updates) provided here used to work for me, but when I visit the cmpportal page now I get a message that states:
"We couldn't locate an account for this ID. Select Register Now to create an AT&T Access ID. Link all of your accounts and enjoy the ease of using a single ID and password."
image

However, I'm logged in with my AT&T Access ID.

I found their (new?) DNS Error Assist page for my account at:
https://www.att.com/acctmgmt/profile/privacychoices

image

The problem I'm having is that even though I've disabled DNS Error Assist, it still redirects browsers to a dnserrorassist.att.net page instead of failing as expected.

When I try to visit a non-existing domain (http://osojkjlkllklkjjjle.us):

image

@rhutch117
Copy link

Not sure if this is new, but under

my profile > privacy choices

there was a checkbox to allow ATT to share or sell your personal info. I opted out before but it was checked again when I just went back and looked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment