←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 6 comments | 01 Apr 18 12:14 UTC | HN request time: 0.233s | source | bottom
1. jlgaddis ◴[01 Apr 18 19:01 UTC] No.16729845[source]
EDIT: Looks like this might be an issue w/ my AT&T-provided CPE, sorry! (more details at the bottom)

From my vantage point, 1.1.1.1 is inaccessible, while 1.0.0.1 seems to work just fine.

Comments on the blog post blame this on "various reasons" but, at least in my case, this seems to be a Cloudflare issue:

  $ ping -c 5 -q 1.0.0.1
  PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.

  --- 1.0.0.1 ping statistics ---
  5 packets transmitted, 5 received, 0% packet loss, time 4005ms
  rtt min/avg/max/mdev = 34.955/35.737/37.492/0.936 ms

  $ ping -c 5 -q 1.1.1.1
  PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

  --- 1.1.1.1 ping statistics ---
  5 packets transmitted, 0 received, 100% packet loss, time 4102ms

  $ traceroute 1.0.0.1
  traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
  [...]
   3  * * *
   4  12.83.79.61 (12.83.79.61)  28.126 ms  28.663 ms  29.110 ms
   5  cgcil403igs.ip.att.net (12.122.132.121)  35.854 ms  37.532 ms  37.510 ms
   6  ae16.cr7-chi1.ip4.gtt.net (173.241.128.29)  33.997 ms  29.083 ms  29.647 ms
   7  xe-0-0-0.cr1-det1.ip4.gtt.net (89.149.128.74)  37.758 ms  35.165 ms  36.620 ms
   8  cloudflare-gw.cr0-det1.ip4.gtt.net (69.174.23.26)  36.946 ms  37.343 ms  38.574 ms
   9  1dot1dot1dot1.cloudflare-dns.com (1.0.0.1)  38.385 ms  36.621 ms  37.157 ms

  $ traceroute 1.1.1.1
  traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
  [...]
   3  * * *
   4  12.83.79.61 (12.83.79.61)  30.388 ms 12.83.79.41 (12.83.79.41)  30.601 ms  31.280 ms
   5  cgcil403igs.ip.att.net (12.122.132.121)  37.602 ms  37.873 ms  37.808 ms
   6  ae16.cr7-chi1.ip4.gtt.net (173.241.128.29)  33.441 ms  29.788 ms  29.678 ms
   7  xe-0-0-0.cr1-det1.ip4.gtt.net (89.149.128.74)  35.266 ms  35.124 ms  33.921 ms
   8  cloudflare-gw.cr0-det1.ip4.gtt.net (69.174.23.26)  35.294 ms  35.949 ms  35.455 ms
   9  * * *
  10  * * *
  11  * * *
  12  *^C
----

EDIT: I have AT&T-provided CPE that I have to use due to 802.1X. If I log into the device (over HTTP) and use the built-in (web-based) diagnostics tools, I am able to successfully ping 1.1.1.1 from the device itself:

  ping successful: icmp seq:0, time=2.364 ms
  ping successful: icmp seq:1, time=1.085 ms
  ping successful: icmp seq:2, time=1.160 ms
  ping successful: icmp seq:3, time=1.245 ms
  ping successful: icmp seq:4, time=0.739 ms
These RTTs are way too low, however. The RTT for a ping to the CPE's next-hop/default gateway comes in at, minimum, ~20 ms.

When pinging 1.1.1.1 from my (pfSense-based) router sitting directly behind the modem, however, no replies come back from the modem to the router (confirmed via pcap on the upstream-facing interface).

Thus, it looks like this is an issue with the AT&T CPE (5268AC).

replies(3): >>16729985 #>>16732487 #>>16734439 #
2. pgrote ◴[01 Apr 18 19:31 UTC] No.16729985[source]
I have ATT and seeing the same issues, but my tracert is different.

   tracert 1.1.1.1

   Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

     1     1 ms     1 ms     1 ms  1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

   tracert 1.0.0.1

   Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.0.0.1]
over a maximum of 30 hops:

     1     3 ms    <1 ms    <1 ms  192.168.1.254
     2    48 ms    18 ms    34 ms  99-153-196-1.lightspeed.stlsmo.sbcglobal.net [99.153.196.1]
     3    19 ms    17 ms    17 ms  64.148.120.125
     4    29 ms    24 ms    18 ms  71.144.225.112
     5    19 ms    18 ms    18 ms  71.144.224.85
     6    19 ms    18 ms    19 ms  12.83.40.161
     7    26 ms    27 ms    26 ms  cgcil403igs.ip.att.net
[12.122.132.121] 8 27 ms 24 ms 28 ms ae16.cr7-chi1.ip4.gtt.net [173.241.128.29] 9 32 ms 31 ms 31 ms xe-0-0-0.cr1-det1.ip4.gtt.net [89.149.128.74] 10 31 ms 31 ms 31 ms cloudflare-gw.cr0-det1.ip4.gtt.net [69.174.23.26] 11 31 ms 31 ms 35 ms 1dot1dot1dot1.cloudflare-dns.com [1.0.0.1]

In a browser, 1.1.1.1 comes back as connection refused. 1.0.0.1 loads.

replies(1): >>16730150 #
3. jlgaddis ◴[01 Apr 18 20:05 UTC] No.16730150[source]
> In a browser, 1.1.1.1 comes back as connection refused. 1.0.0.1 loads.

Yep, exactly. Using 1.0.0.1, everything works. Using 1.1.1.1, nothing (ping, DNS, HTTPS) does.

EDIT: See earlier comment; looks like an issue w/ the AT&T-provided CPE (5268AC).

4. mng2 ◴[02 Apr 18 05:11 UTC] No.16732487[source]
I have the same Pace box and can replicate. Pinging 1.1.1.1 from my OpenWrt router fails.
5. 2bluesc ◴[02 Apr 18 13:52 UTC] No.16734439[source]
> When pinging 1.1.1.1 from my (pfSense-based) router sitting directly behind the modem, however, no replies come back from the modem to the router (confirmed via pcap on the upstream-facing interface).

Your upstream diagnosis seems to suggest otherwise, but perhaps you have an issue with using pfBlockerNG? If you're using pfSense with pfBlockerNG + DNSBL IP rules, it populates empty firewall alias files with 1.1.1.1 which was falsely assumed to be unused.

Review your aliases and pfBlockerNG alerts. If you see it dropped there, disable the firewall rule option on DNSBL, see screenshot [0]

Additional brief discussion on reddit [1] with comments from the pfBlockerNG author.

[0] https://i.imgur.com/u5q5SP2.png

[1] https://www.reddit.com/r/PFSENSE/comments/88wg6g/issue_with_...

replies(1): >>16735747 #
6. jlgaddis ◴[02 Apr 18 16:02 UTC] No.16735747[source]
> ... perhaps you have an issue with using pfBlockerNG?

Thanks, but no, I don't use pfBlockerNG (hadn't even heard of it until now).

As mentioned, this turned out to be an issue w/ my ISP-provided CPE.