Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save CollinChaffin/24f6c9652efb3d6d5ef2f5502720ef00 to your computer and use it in GitHub Desktop.
Save CollinChaffin/24f6c9652efb3d6d5ef2f5502720ef00 to your computer and use it in GitHub Desktop.
How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44

Issue

DNS queries on home network suddenly resolving hosts to 104.239.207.44.

Symptoms

You will see SPORADIC mis-resolutions of EVERYTHING to that 104.239.207.44 address if their crappy router happens to hear your PC's DHCP request - EVEN IF ANOTHER DHCP SERVER ON THE NETWORK assigns the ultimate address.

Do an IPCONFIG /ALL on the PC in question, and look carefully only at the DNS SERVER line....and note it is wrongfully THE ATT ROUTER (192.168.1.254 in my case)!.  In almost every case, simply preforming a IPCONFIG /RENEW right there and again performing the /ALL, will then correctly show that YOUR DHCP SERVER'S ASSIGNED DNS SERVER is now listed.

Cause

Now, what REALLY took friggin digging including phone calls to finally find an engineer to let the cat out of the bag is why the "104.239.207.44" address?  Where is that coming from?

So my bet is you also don't know that by default AT&T has taken upon itself to forcibly inject it's own DNS server (as the router) with the latest round of firmware and unless you TAKE ACTION TO OPT-OUT, will intercept your DNS queries via new changes in router firmware pushing out the router as DNS server.

AT&T's VERY HIDDEN "helper" redirection for DNS that YOU MUST OPT-OUT of is named "DNS Error Assist" which causes this unwanted behavior.

Solution

Here is how to disable AT&T's "DNS Error Assist" service on your account. 

NOTE, this does NOT fix the recent router firmware issues that also re-enabled IPv6 without notifications that is also allowing THEIR ROUTER to continue to hand-out DNS even when you set a single IP pool range for DHCP with a non-existent reservation (which should in effect kill all DHCP on their router from handing out ANYTHING). This appears to be a firmware issue with no known current workarounds other than to take precautionary measures to ensure your DHCP replies first.

  1. Navigate to att.com and in the upper-right LOGIN
  2. Click YOUR NAME, then VIEW PROFILE
  3. Click "Communication preferences".
  4. Click "Privacy Settings".
  5. Click "DNS Error Assist " and FRIGGIN CLICK OPT-OUT!!  This is what is redirecting (via the router) your DNS queries ACTIVELY TO THEIR SERVER (104.239.207.44 is an AT&T address via Rackspace).

(OPTIONAL):  While there, you may also choose to click "External Marketing & Analytics Reports", "Relevant Advertising", and "Enhanced Relevant Advertising" and also OPT-OUT of all of those that they also DO NOT TELL YOU THAT YOU HAVE ENABLED ON YOUR ACCOUNT.

Note this is actually a per-use back-end server setting and as you will see the DNS setting says it can take up to 24hrs whereas the more "typical" privacy crap of the advertising etc. will tell you up to a week to be effective, further supporting that the "DNS error assist" is an infrastructure-based setting being pushed to your router that they not only know they have recently put into place, but have the ability to disable.

@earthsound
Copy link

The URL (and subsequent updates) provided here used to work for me, but when I visit the cmpportal page now I get a message that states:
"We couldn't locate an account for this ID. Select Register Now to create an AT&T Access ID. Link all of your accounts and enjoy the ease of using a single ID and password."
image

However, I'm logged in with my AT&T Access ID.

I found their (new?) DNS Error Assist page for my account at:
https://www.att.com/acctmgmt/profile/privacychoices

image

The problem I'm having is that even though I've disabled DNS Error Assist, it still redirects browsers to a dnserrorassist.att.net page instead of failing as expected.

When I try to visit a non-existing domain (http://osojkjlkllklkjjjle.us):

image

@rhutch117
Copy link

Not sure if this is new, but under

my profile > privacy choices

there was a checkbox to allow ATT to share or sell your personal info. I opted out before but it was checked again when I just went back and looked.

@SpaceSaver
Copy link

We need consumer-protection laws. This is disgusting.

@csmicfool
Copy link

Update: This setting doesn't work. DNS redirection still occurs.

@MisterMeanor
Copy link

MisterMeanor commented Apr 28, 2023

Update: This setting doesn't work. DNS redirection still occurs.

Sometimes it worked for me and sometimes it didn't. I had to be persistent. When it works, you will know it. You'll get to screens that allow you to actually turn off the redirect. Be patient!

It appears to be a little different now. In the upper left, select My AT&T, then Privacy Settings. Then the third box should have the button that turns it off.

@csmicfool
Copy link

Update: This setting doesn't work. DNS redirection still occurs.

Sometimes it worked for me and sometimes it didn't. I had to be persistent. When it works, you will know it. You'll get to screens that allow you to actually turn off the redirect. Be patient!

That page appears during a redirect? in the modem?

@ksylvan
Copy link

ksylvan commented Apr 29, 2023

Update: This setting doesn't work. DNS redirection still occurs.

Sometimes it worked for me and sometimes it didn't. I had to be persistent. When it works, you will know it. You'll get to screens that allow you to actually turn off the redirect. Be patient!

That page appears during a redirect? in the modem?

Yes. @csmicfool The ATT Gateway sometimes did this.

I had the great joy of ditching that shit recently when I switched to XFINITY where their XFi gateway has a real "bridge" mode so I can use their cable modem as a simple modem and have my nice ASUS mesh router handle my in-home network.

Also, using Quad9 DNS settings in my WAN setup (instead of accepting the defaults handed down by their handshake process) means my home network browsing info isn't collectible by XFINITY either.

@tance77
Copy link

tance77 commented Jul 7, 2023

Screenshot 2023-07-07 at 11 29 40 AM

To turn off "Personalized" you must turn off "Personalized Plus".

As of 2023-07-07 they also be sharing your personal details as well here is the direct link once you are logged in to https://att.com

https://www.att.com/acctmgmt/profile/privacychoices

@Drew-Daniels
Copy link

Thanks a lot for this

@rmccullagh
Copy link

does not work even if att web portal indicates setting is OFF. Comcast it is for me.

@earthsound
Copy link

As I mentioned above in January 2023, this setting hasn't worked for me all year.

@tance77
Copy link

tance77 commented Dec 13, 2023

@earthsound , @rmccullagh

The options seem to still be there for me. Make sure you are Logged In before visiting the link below.

https://www.att.com/acctmgmt/profile/privacychoices

Unless you are saying with the settings off they are still sharing your data??

@earthsound
Copy link

@earthsound , @rmccullagh

The options seem to still be there for me. Make sure you are Logged In before visiting the link below.

https://www.att.com/acctmgmt/profile/privacychoices

Unless you are saying with the settings off they are still sharing your data??

@tance77 Yes, the options are there, but disabling DNS Error Assist hasn't worked for me all year. DNS lookups are hijacked by their DNS Error Assist regardless of the setting.

See my comment from 2023-01-09.

@TheBeeZee
Copy link

For me, the DNS Error Assist option works exactly the opposite of what it indicates: if it is on, the AT&T DNS server doesn't hijack unknown domains. If it is off, it does.

@owenthewizard
Copy link

For me, the DNS Error Assist option works exactly the opposite of what it indicates: if it is on, the AT&T DNS server doesn't hijack unknown domains. If it is off, it does.

Same behavior here for one of my accounts, but not the other...

@sleaze
Copy link

sleaze commented Apr 16, 2024

Heads up: I've posted the below comment as well as further information in my newly minted repo for this topic: https://github.com/sleaze/att-fiber-internet-shameful-broken-dns-hijacking

TheBeeZee commented on Dec 13, 2023

For me, the DNS Error Assist option works exactly the opposite of what it indicates: if it is on, the AT&T DNS server doesn't hijack unknown domains. If it is off, it does.

ZOMG!!!!! THIS IS INSANE, I just tried the same thing - turning ON DNS Error Assist on my AT&T web profile settings, and immediately now instead of:

$ ping teledildonix
PING teledildonix (143.244.220.150) 56(84) bytes of data.
64 bytes from 143.244.220.150: icmp_seq=1 ttl=47 time=80.1 ms
64 bytes from 143.244.220.150: icmp_seq=2 ttl=47 time=131 ms
64 bytes from 143.244.220.150: icmp_seq=3 ttl=47 time=88.4 ms
^C
--- teledildonix ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 80.156/100.183/131.956/22.719 ms

(Note: The above is with error assist OFF, and this result is really bad because ATT is still hijacking the LAN local hostname DNS resolution and replacing it with some Digital Ocean IP address instead of returning the appropriate 192.168.1.x result, basically the same thing poor bshosey and countless others have been running into for years.

After turning it ON, I'm getting:

$ ping teledildonix
ping: teledildonix: Name or service not known

$ ping teledildonix.attlocal.net
ping: teledildonix.attlocal.net: Name or service not known

So, it's still super broken, but as noted by TheBeeZee, the setting behavior appears to be the opposite of what the AT&T portal and Internet at large claim.

Btw, this is with a BWG-500 router and AT&T fiber 1000 service. Yesterday the local DNS resolution was working fine, then there was a long power outage for most of the day. After everything came back online, local hostname DNS queries are 100% failing.

The only reliable solution appears to be running your own router behind AT&T's BWG router-modem-all-in-one. What a pain.


A few useful reference links*:

*Google is apparently now useless for finding info on the Internet beyond very basic queries for stackoverflow or reddit, I had to use Kagi to discover anything useful on this topic.

@owenthewizard
Copy link

owenthewizard commented Apr 16, 2024

The only reliable solution appears to be running your own router behind AT&T's BWG router-modem-all-in-one. What a pain.

@sleaze you may be interested in pfatt/opnatt/8311 to fully bypass AT&T's RG.

@sbussard
Copy link

I had to turn it (DNS assist) ON and OFF again to get it to stop

https://www.att.com/acctmgmt/profile/privacychoices

@raylu
Copy link

raylu commented Sep 8, 2024

IPv6 [...] continue to hand-out DNS even when you set a single IP pool range for DHCP with a non-existent reservation (which should in effect kill all DHCP on their router from handing out ANYTHING).

I don't seem to have the option to control the DHCPv6 range. Any advice on how to do that?

@mokolabs
Copy link

Does anyone know how to disable this setting on a business account?

@owenthewizard
Copy link

Does anyone know how to disable this setting on a business account?

I assume you could call them and ask, if you're paying for business. Do you have an account rep?

@mokolabs
Copy link

I don't think we have an account rep, but I'll look into that. Thanks for the tip!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment