Captive Portal Workaround using NextDNS Apple Profile

NextDNS is awesome, but I have been plagued by using the NextDNS Apple Profile whenever they encounter a Captive Portal. You know the one, it pops up at Starbucks, or school, or a hotel and demands you adhere to terms of service. Well, with the NextDNS profile installed on any Apple product, you would get the page in the microbrowser window but it would be blank. Agh! Why? NextDNS was doing its job and protecting you from a MITM (Man in the Middle) attack because that is what a captive portal is essentially. Well, you need to see that webpage though to get internet access. So, how to fix it?

A solution has been found! 

NextDNS updated its configuration generator at: apple.nextdns.io

In that generator for your apple devices, you can click "advanced" 

Under the section labeled "Excluded Domains" enter: 


Generate the profile and install it.  

Go to your NextDNS page and under security tab turn OFF:  

-DNS Rebinding Protection- 

Go to the settings tab and turn OFF: 

-Block Page- 

Got to "Settings" on you Apple device and turn ON Internet Private Relay.

Now your NextDNS profile will work with captive portals at school, Starbucks, etc. 

Your NextDNS profile will also work with Apple Internet Private Relay (in iCloud settings) even though the setup tab on the NextDNS page will show that it is not. 

Why does this work? The excluded domains you entered in the profile are ones apple uses exclusively for captive portals and Internet Private Relay. What happens when you visit a captive portal is Apple uses the domain to check for an http connection. If it fails, it opens the captive portal sandboxed micro browser and attempts again. Because it is an excluded domain, your native DHCP will provide the DNS allowing the redirect. You are redirected to the captive portal and can log in. On the redirect, with Apple Internet Private Relay turned on, your computer will send a plain text request to mask.icloud.com OR mask-h2.icloud.com for the IP of the private relay. Because those are excluded, you will redirect via the native DHCP DNS to the captive portal page. After you connect, everything will work as normal with NextDNS blocking and your privacy protected by Apple Internet Private Relay. 

Hope this helps! I have been digging for a solution forever and this one works perfectly! Thank you NextDNS for updating your Apple Profile page!

7 replies

    • Allen_Holder
    • 2 yrs ago
    • Reported - view

    Well, unfortunately, it appears the latest update iOS / MacOS has complicated the situation again. My captive portals are blank screens again. I have moved back to utilizing the Apps for NextDNS instead of the Apple configuration profiles and this seems to be working in both iOS and MacOS. I will report back if I have further problems.

    • Spencer
    • 2 yrs ago
    • Reported - view

    It seems I couldn't retroactively apply the excluded domains even though I put them in the allow list via the web browser portal after I installed the profile. So decided to delete the profile and add the app instead which works just fine now.

    • Sander
    • 2 yrs ago
    • Reported - view

    For Dutch users who would like to use 'Wifi in de trein' also add nstrein.ns.nl to the excluded domains.

    (Why can't we make these settings in the normal NextDNS interface so the app picks them up automatically?)

    • cursedZerox
    • 2 yrs ago
    • Reported - view

    I just came across https://github.com/paulmillr/encrypted-dns/issues/65 which mentions how you can setup the Apple Config Profile to work with captive portals. https://github.com/paulmillr/encrypted-dns/pull/94/files has the specific changes. I personally haven’t tried this yet, but if it works, maybe this could be integrated into the NextDNS Apple profile generator?

    • Robert_Carr
    • 2 yrs ago
    • Reported - view

    Hey by chance is your NextDNS ID f2b9ac ? Because that is what is prepopulated when I click on your link. FYI if so in case you do not want your metrics skewed.

    • Allen_Holder
    • 2 yrs ago
    • Reported - view

    It used to be when I was testing. I shut that down a while ago. Thanks for the warning.

    • Jrod949
    • 1 yr ago
    • Reported - view

    does this profile method work still?

Content aside

  • 1 yr agoLast active
  • 7Replies
  • 1371Views
  • 7 Following