If anyone at 7018 wants to pass a message along to the correct folks,
please let them know that Cloudflare's new public DNS service (1.1.1.1)
is completely unusable for at least some of AT&T's customers.
There is apparently a bug with some CPE (including the 5268AC). From
behind such CPE, the services at 1.1.1.1 are completely unreachable,
whether via (ICMP) ping, DNS, or HTTPS.
Using the 5268AC's web-based diagnostic tools, pinging 1.1.1.1 returns
the following results:
ping successful: icmp seq:0, time=2.364 ms
ping successful: icmp seq:1, time=1.085 ms
ping successful: icmp seq:2, time=1.160 ms
ping successful: icmp seq:3, time=1.245 ms
ping successful: icmp seq:4, time=0.739 ms
RTTs to the CPE's default gateway are, at minimum, ~20 ms.
A traceroute (using the same web-based diagnostic tool built-in to the
CPE) reports, simply:
I haven't bothered to report this to AT&T through the standard customer
support channels (for reasons that should be obvious to anyone who has
ever called AT&T's consumer/residential technical support) but if anyone
at AT&T wants to pass the info along to the appropriate group, it would
certainly be appreciated.
I am behind a Calix router at home for my ISP and 1.1.1.1 goes to my router
and not any further. When I enter the IP into my browser, it opens the
login page for my router. So it appears 1.1.1.1 is used as a loopback in my
Calix router.
That sounds like a provider problem with their configuration most likely. I run hundreds of 844E, 844Gs and have one at my house even, and it continues out fine for 1.1.1.1 when I was testing over the weekend with our config.
1.0.0.0/8 was assigned to APNIC in 2010. Those who used it as a placeholder were doing it wrong. It is valid IP space. It just was not assigned until 2010.
Look at the WHOIS info -- 1.1.1.0/24 is assigned to APNIC Research, and it says
remarks: ++++++++++++++++++
remarks: + Address blocks listed with this contact
remarks: + are withheld from general use and are
remarks: + only routed briefly for passive testing.
remarks: +
remarks: + If you are receiving unwanted traffic
remarks: + it is almost certainly spoofed source
remarks: + or hijacked address usage.
There's a comment at the top saying:
descr: APNIC and Cloudflare DNS Resolver project
descr: Routed globally by AS13335/Cloudflare
descr: Research prefix for APNIC Labs
So it's routed deliberately but it sure looks like an experiment.
There's way too much equipment that treats 1.1.1.1 as magic for it to
work reliably. Captive portals tend to use that address for the host
you contact to log out.
This looks like a willy-waving exercise by Cloudflare coming up with the lowest
quad-digit IP. They must have known that this would cause routing issues, and
now suddenly it's our responsibility to make significant changes to live
infrastructures just so they can continue to look clever with the IP address.
In this case, one only broke their own infrastructure by doing bad things or "being clever" by misusing space that isn't theirs in unintended ways; people doing things correctly would not have this issue...
This looks like a willy-waving exercise by Cloudflare coming up with the lowest
quad-digit IP. They must have known that this would cause routing issues, and
now suddenly it's our responsibility to make significant changes to live
infrastructures just so they can continue to look clever with the IP address.
Perhaps we can ask APNIC what the experiment is. They surely know that 1.1.1.1 is messed up so I doubt that Matt expects every coffee shop in the world to bend to his will.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
I am very impressed at Cloudflare’s forward thinking to force investing a significant amount of IPv4 infrastructure. This will obviously become even more important in the future as IPv6 withers away and is replaced by IPv4.
And, I repeat, please tell me how many end users know about or care about DNS, even after reading snake oil advertisements.
thats probably a key part of the experiment - to find locations and
systems where 1.1.1.1 is trashed.
it should be routable and its about time that vendors stopped messing
around in that space - hopefully this is
one of the sticks that prods people to start to behave - at which
point 1.0.0.0/8 will regain value too and can be used by APNIC
for other requirements.
as for those berating addresses used for experiments - there are MANY
networking experiments going on out there , the Internet itself
derives from one big ongoing experiment...and some would even say it
IS still an experiment.
If you know of others please send them my way so we can investigate.
A lot of hotel and coffee shop captive portals use it for the login
and logout screens. Don't know what the underlying software is, but
wander around London and hop on the wifi at coffee shops and hotels
and you'll run into it soon enough.