Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

Issue

DNS queries on home network suddenly resolving hosts to 104.239.207.44.

Symptoms

You will see SPORADIC mis-resolutions of EVERYTHING to that 104.239.207.44 address if their crappy router happens to hear your PC's DHCP request - EVEN IF ANOTHER DHCP SERVER ON THE NETWORK assigns the ultimate address.

Do an IPCONFIG /ALL on the PC in question, and look carefully only at the DNS SERVER line....and note it is wrongfully THE ATT ROUTER (192.168.1.254 in my case)!.  In almost every case, simply preforming a IPCONFIG /RENEW right there and again performing the /ALL, will then correctly show that YOUR DHCP SERVER'S ASSIGNED DNS SERVER is now listed.

Cause

Now, what REALLY took friggin digging including phone calls to finally find an engineer to let the cat out of the bag is why the "104.239.207.44" address?  Where is that coming from?

So my bet is you also don't know that by default AT&T has taken upon itself to forcibly inject it's own DNS server (as the router) with the latest round of firmware and unless you TAKE ACTION TO OPT-OUT, will intercept your DNS queries via new changes in router firmware pushing out the router as DNS server.

AT&T's VERY HIDDEN "helper" redirection for DNS that YOU MUST OPT-OUT of is named "DNS Error Assist" which causes this unwanted behavior.

Solution

Here is how to disable AT&T's "DNS Error Assist" service on your account. 

NOTE, this does NOT fix the recent router firmware issues that also re-enabled IPv6 without notifications that is also allowing THEIR ROUTER to continue to hand-out DNS even when you set a single IP pool range for DHCP with a non-existent reservation (which should in effect kill all DHCP on their router from handing out ANYTHING). This appears to be a firmware issue with no known current workarounds other than to take precautionary measures to ensure your DHCP replies first.

  1. Navigate to att.com and in the upper-right LOGIN
  2. Click YOUR NAME, then VIEW PROFILE
  3. Click "Communication preferences".
  4. Click "Privacy Settings".
  5. Click "DNS Error Assist " and FRIGGIN CLICK OPT-OUT!!  This is what is redirecting (via the router) your DNS queries ACTIVELY TO THEIR SERVER (104.239.207.44 is an AT&T address via Rackspace).

(OPTIONAL):  While there, you may also choose to click "External Marketing & Analytics Reports", "Relevant Advertising", and "Enhanced Relevant Advertising" and also OPT-OUT of all of those that they also DO NOT TELL YOU THAT YOU HAVE ENABLED ON YOUR ACCOUNT.

Note this is actually a per-use back-end server setting and as you will see the DNS setting says it can take up to 24hrs whereas the more "typical" privacy crap of the advertising etc. will tell you up to a week to be effective, further supporting that the "DNS error assist" is an infrastructure-based setting being pushed to your router that they not only know they have recently put into place, but have the ability to disable.

@chrismessina
Copy link

chrismessina commented Jun 11, 2020

Wow, yuck! Is that the case even if you change your system's DNS?

@jamshid
Copy link

jamshid commented Jun 15, 2020

Thanks @brbeaird I also have the Motorola BGW210-700 and have been trying to figure out why turning off DNS Error Assist does not work.
Does ATT have any plans to fix this, do you happen to have a direct line to complain?
Can anyone recommend an alternative modem?

@brbeaird
Copy link

brbeaird commented Jun 15, 2020

They did not mention any specific plans to fix it. They said the Pace modem supposedly works; I used to have that model but replaced it because it had other issues for me.

I originally tried taking this through their support but always just got a response like "I will take this to higher level support and let you know" without ever getting follow-up. I eventually tried Twitter and did finally get someone who called me and told me the BGW210 just does not allow opting out.

If I manually set my system's DNS to something like one of the public DNS servers, it does seem to work to get around the DNS error assist garbage, but that's super tedious and is not practical to do for every device on my network.

@chrismessina
Copy link

chrismessina commented Jun 15, 2020

If I manually set my system's DNS to something like one of the public DNS servers, it does seem to work to get around the DNS error assist garbage, but that's super tedious and is not practical to do for every device on my network.

I connect my AT&T router to a downstream Airport Extreme (could be any other router that allows you to configure your DNS) and it'll override the AT&T router's DNS settings. That way you don't need to configure every one of your devices.

@sourcerose
Copy link

sourcerose commented Jun 17, 2020

@AndyRH1701
Copy link

AndyRH1701 commented Jun 19, 2020

YMMV
I double NAT, the inside router does masquerade on port 53 (DNS) to my pi-hole servers that do DoH to CloudFlare. 53 never makes it to the ATT router in my "DMZ". Also handy in stopping other DNS abuses by IoT devices.

@nathan-alden-sr
Copy link

nathan-alden-sr commented Jun 24, 2020

Is anyone else seeing this? It appears as though AT&T disallows opt out:

image

Also, the other privacy settings conveniently return an "error" when I attempt to opt out of them, or simply can't be opted out of at all:

image

@nathan-alden-sr
Copy link

nathan-alden-sr commented Jun 24, 2020

For the failing request, the website is attempting to POST to this URL: https://cprodx.att.com/cmp/restservices/CMP/v1/services/updateConsentExceptFCC. The response is a 200 with this content: {"statusCode":0,"status":null}.

@aaronp24
Copy link

aaronp24 commented Jun 29, 2020

I've tried disabling this several times. Sometimes I see this error, sometimes I see a slider labeled U_BANS and sometimes I see a slider with the proper label. Toggling it off does absolutely nothing, AT&T continues to hijack invalid DNS names no matter what I set it to.

@dominicx254
Copy link

dominicx254 commented Jun 30, 2020

Yeah... I can't make the changes either. Thanks for the Mac Settings... I'm new to a Mac, so I don't know if it will work.

@ksylvan
Copy link

ksylvan commented Oct 4, 2020

This saved me a bunch of time and also made me aware of these evil settings. Thanks!

@mstevetodd
Copy link

mstevetodd commented Oct 21, 2020

Thank you for posting this. Was a real nuisance using my company vpn.

@benkimpel
Copy link

benkimpel commented Dec 10, 2020

@MisterMeanor
Copy link

MisterMeanor commented Jan 7, 2021

Thank you so much for this @CollinChaffin! The navigation has changed a bit since this post.

  1. After you have logged in, you just click the Profile icon. There is no "Your Name".
  2. When you click "Privacy Settings", it opens a page that is blank. Nothing else. I guess opting out is the only privacy setting? Also, I see no way to opt back in (not that you'd ever want to).

But it did work and I've managed to opt out!!!

Again many thanks!!!

@jbrown7815
Copy link

jbrown7815 commented Mar 6, 2021

Thank you so much for this, who would have known... even when I manually set my DNS in Windows it shows them 2 + ATT's...

@brendandebeasi
Copy link

brendandebeasi commented Jul 21, 2021

For those of you not finding the page directly, all the opt-outs are here:
https://cmp.att.com/cmpportal/

@alice-cash
Copy link

alice-cash commented Aug 14, 2021

I wish one could PR a gist. @brendandebeasi has the right answer

@jonnyabe
Copy link

jonnyabe commented Sep 16, 2021

You sir, are the friggin man! Been trying to get remote access to Home Assistant for the past week with no luck until now.

@brendandebeasi
Copy link

brendandebeasi commented Sep 16, 2021

@jonnyabe Didn't realize this could affect Home Assistant as well! Whew...

@jonnyabe
Copy link

jonnyabe commented Sep 16, 2021

@brendandebeasi Yep! I'm don't claim to be a networking genius, but I thought I was going crazy.

@davidlick
Copy link

davidlick commented Nov 1, 2021

THANK YOU. I recently installed a Pi-hole and have had very strange DNS resolutions like https://github.com resolving to 8.8.8.8. No records set up in Pi-hole like that, no DNSMasq customizations, nothing on my router. I've kind of been pulling my hair our about it but this fixed the problem for me!

@nathan-alden-sr
Copy link

nathan-alden-sr commented Nov 1, 2021

BTW, AT&T has apparently fixed their broken opt-outs. I was able to unsubscribe from all marketing and hijacking. The relevant one:

image

Oh, and here's a friendly message from AT&T:

image

They're working hard to protect me. I feel so loved.

@karolisr
Copy link

karolisr commented Nov 18, 2021

Here's the URL with the settings to save a few https://cprodx.att.com/cmp/cmpportal

Thank you so much!!! The link still works 2021/11/17

@rockoncali
Copy link

rockoncali commented Feb 8, 2022

Thanks so much for this!

@Mementh
Copy link

Mementh commented Mar 15, 2022

Sadly no longer working 2022/03/15 with me at least

@brendandebeasi
Copy link

brendandebeasi commented Mar 15, 2022

@Mementh
Copy link

Mementh commented Mar 15, 2022

@Mementh The new URL is https://cmp.att.com/cmpportal/

"Our system doesn't seem to be cooperating. Sorry for any inconvenience. Please try again later" :(

@bsanders
Copy link

bsanders commented May 12, 2022

I got the exact same message today as @Mementh, but I figured out the problem with the help of ATT customer service. TL;DR: use Chromium instead of Firefox

Today the path is:
www.att.com
"Account" / "Sign In"
See Profile (right under your name, just above your "Total Balance"
Scroll down to "Data & Privacy"

"Enhance relevant advertising settings" and "Privacy settings" both lead to the same error message:

Our system doesn't seem to be cooperating. Sorry for any inconvenience. Please try again later

After getting on the embedded chat and then on the phone, we determined that the website works in Chromium, but doesn't in Firefox. No idea why. At that point I was able to get in and disable the DNS hijacking.

@mcmar
Copy link

mcmar commented May 15, 2022

I've followed the instructions providede by @bsanders in both Chrome and Edge on Windows. In both cases, I'm not able to click on either "Enhance relevant advertising settings" or "Privacy settings". In both cases, the page simply loads forever.

I haven't found any solution to disable DNS hijacking as of 2022-05-14.

@bsanders
Copy link

bsanders commented May 16, 2022

Bizarrely, I just tried again on my personal laptop (but at work) from Firefox (v96, running v99 at home). Here it works right away. Now I'm really confused. Running Ubuntu 21.04 on the laptop; KDE Neon (based on Ubuntu 20.04) at home. I'll check again when I get home, but I refreshed the page on Firefox after getting it working on Chrome and it still wasn't working there.

Could it be some kind of flag on the account that CS flipped while talking to me? Could it be the network I was connecting from?

Edit, 5/17/22: it's working from Firefox on my home network now. I'm baffled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment