NVG599 and BGW210 gateways both route internal traffic to Internet due to DNS flaw
I reported this security issue to AT&T twice, but just so other folks are aware, and can take whatever steps they feel are necessary.
Until recently, I had an Arris NVG599 residential gateway. It was replaced by a BGW210. This issue was present on both units. Specifically, the embedded DNS server on these gateways will resolve internal hostnames -- those of machines directly connected to the gateway -- incorrectly, and worse, those incorrect results are external IP addresses. The gateway then happily routes your internal IP traffic to those external addresses.
In my case, the hostnames were simple English words. As far as I can tell, however, this occurs with many varieties of local hostnames. I tried many combinations of words and letters, and found none that were safe.
The DNS bug is shockingly easy to replicate. Add a host to your internal network. Access the gateway's web interface, and navigate to the "Diagnostics" page. At the bottom of the "Troubleshooting" section, you will find "Test Internet Access". Enter the unqualified hostname of your internal host, and click the "Ping" button. The window below will show your pings going off into the Internet, instead of to your local host. For example, see the partial screenshot below ( not a real host on my network, just one I setup temporarily to illustrate with ).
The same behavior will occur from any device on your local network, using dig, or nslookup, or any other DNS client. That's where the issue becomes serious, since your would-be internal traffic gets routed to the outside world. That IP address is owned by Akamai Technologies -- and my home LAN is definitely not a part of their network.
It would be great if AT&T would address this, and fix it, but in the meantime, users should probably exercise caution when accessing their local hosts.