Captive Portals

NextDNS fails to allow connections to captive portals. By definition, a captive portal is a Man-in-the-Middle attack. That said, they are absolutely necessary. I have had to remove NextDNS from my family's computers and go back to a hacked VPS running PiHole because of the issue. The captive portals are inaccessible on M1 Macs running the latest updates and the NextDNS profile, on Fedora 34 running the latest updates and the Linux client, on iPhone 11 Pros running latest updates and the profile, and an M1 Mac running the latest update and the Apple App Store client.

Look, I know I can add the portals to the "allow list" or remap them in the "settings" tab, but this is just not feasible for a family of five using your product. There has to be a better solution. PiHole is functional but it lacks quite a few of the specialized features you all have added to NextDNS.

That said, if this can not be corrected, I do not think businesses or families will see your product as viable.

8replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • You have a captive portal at home?

  • Sorry, no captive portals at home. The captive portals we encounter are at Panera, Starbucks, Einstein's, University Hospital, Christus Hospital, Methodist Hospital, Ikea, McDonalds, heck, even school now. 

    As a work around, the updated apps for the iphone and MacBooks can be set as the System DNS, but the switch in the NextDNS app will allow returning to the dhcp (Standard) DNS without having to remove NextDNS as the system DNS.

    I have instructed my family that when they encounter a captive portal with a blank screen to turn off the switch in NextDNS, cycle the wifi with Airplane mode, and then after connected, turn back on NextDNS. The problem is that they usually forget to turn it back on. 

    I wish there was a "button" one could add to the "widgets" that would cycle the NextDNS with dhcp DNS for say 3 minutes to allow connection to the captive portal. That way, it could turn NextDNS back on without having to remember to turn it back on.

  • I've seen this multiple times on iOS, and sometimes on Macbook Pro with the native apps installed.  Also see it with the CLI installer on MacBook.  I've been an early adopter of NextDNS and now that 's grown to where it is this should simply work.  Normal folks are not going to know to disable, re-enable, etc and that is putting the security back in the hands of the user.  There are always reports of captive portal issues, and these need to get fixed and prioritized IMO so it works consistently.

    Like 1
      • Randall
      • Randall
      • 4 mths ago
      • Reported - view

      Chris Colotti  Totally agree with this. I have some of my users traveling, and they don't even have admin access, let alone know what "DNS" is. The product really isn't developed well.

  • Some great news on the Captive Portal solution!

    A solution has been found!

    NextDNS updated its configuration generator at: apple.nextdns.io

    In that generator for your apple devices, you can click "advanced"

    Under the section labeled "Excluded Domains" enter:

    mask.icloud.com, mask-h2.icloud.com, captive.apple.com

    Generate the profile and install it. 

    Go to your NextDNS page and under security tab turn OFF: 

    DNS Rebinding Protection

    Go to the settings tab and turn OFF:

    Block Page

    Now your NextDNS profile will work with BOTH Captive Portals at school, Starbucks, etc.

    Your NextDNS profile will also work with Apple Internet Private Relay (in iCloud settings) even though the setup tab on the NextDNS page will show that it is not.

    Why does this work? The excluded domains are ones apple uses exclusively for captive portals and Internet Private Relay. What happens when you visit a captive portal is Apple uses the domain to check for an http connection. If it fails, it opens the captive portal sandboxed micro browser and attempts again. You are redirected to the captive portal and can log in. Because it is an excluded domain, your native DHCP will provide the DNS allowing the redirect. On the redirect, with Apple Internet Private Relay turned on, your computer will send a plain text request to mask.icloud.com OR mask-h2.icloud.com for the IP of the private relay. Because those are excluded, you will redirect via the native DHCP DNS to the captive portal page. After you connect, everything will work as normal with NextDNS blocking and your privacy protected by Apple Internet Private Relay.

    Hope this helps! I have been digging for a solution forever and this one works perfectly! Thank you NextDNS for updating your Apple Profile page!

    Like 1
  • Well, unfortunately, it appears the latest update iOS / MacOS has complicated the situation again. My captive portals are blank screens again. I have moved back to utilizing the Apps for NextDNS instead of the Apple configuration profiles and this seems to be working in both iOS and MacOS. I will report back if I have further problems.

  • I have a captive portal on my guest network at home, this works just fine for me while using NextDNS as my DNS server.

    Tried on my Android phone which is using the Private DNS feature for it, on my laptop using the Linux command line app, and on another laptop which is just grabbing the DNS config via DHCP.

    On all three of these devices the captive portal works fine for me. 

  • It seems I couldn't retroactively apply the excluded domains even though I put them in the allow list via the web browser portal after I installed the profile. So decided to delete the profile and add the app instead which works just fine now.

Like3 Follow
  • 4 mths agoLast active
  • 8Replies
  • 317Views
  • 6 Following