Installed nextdns via the "sh ... curl" line. Captive portals stopped working. I uninstalled nextdns but captive p still don't work. Help

R P M 

thanks for your reply!

I tried the command you suggested and got this:

~$ nextdns config set -detect-captive-portals true
Unrecognized parameter: true
  -auto-activate
        Run activate at startup and deactivate on exit.
  -bogus-priv
        Bogus private reverse lookups.

        All reverse lookups for private IP ranges (ie 192.168.x.x, etc.) are
        answered with "no such domain" rather than being forwarded upstream.
        The set of prefixes affected is the list given in RFC6303, for IPv4
        and IPv6. (default true)
  -cache-max-age duration
        If set to greater than 0, a cached entry will be considered stale after
        this duration, even if the record's TTL is higher.
  -cache-size string
        Set the size of the cache in byte. Use 0 to disable caching. The value
        can be expressed with unit like kB, MB, GB. The cache is automatically
        flushed when the pointed profile is updated. (default "0")
  -config value
        deprecated, use -profile instead
  -config-file string
        Custom path to configuration file.
  -control string
        Address to the control socket. (default "/var/run/nextdns.sock")
  -debug
        Enable debug logs.
  -detect-captive-portals
        Automatic detection of captive portals and fallback on system DNS to
        allow the connection to establish.

        Beware that enabling this feature can allow an attacker to force nextdns
        to disable DoH and leak unencrypted DNS traffic.
  -discovery-dns string
        The address of a DNS server to be used to discover client names.
        If not defined, the address learned via DHCP will be used. This setting
        is only active if report-client-info is set to true.
  -forwarder value
        A DNS server to use for a specified domain.

        Forwarders can be defined to send proxy DNS traffic to an alternative
        DNS upstream resolver for specific domains. The format of this parameter
        is [DOMAIN=]SERVER_ADDR[,SERVER_ADDR...].

        A SERVER_ADDR can ben either an IP[:PORT] for DNS53 (unencrypted UDP,
        TCP), or a HTTPS URL for a DNS over HTTPS server. For DoH, a bootstrap
        IP can be specified as follow: https://dns.nextdns.io#45.90.28.0.
        Several servers can be specified, separated by commas to implement
        failover.
        This parameter can be repeated. The first match wins.
  -hardened-privacy
        Deprecated.
  -listen value
        Listen address for UDP DNS proxy server.
  -log-queries
        Log DNS queries.
  -max-inflight-requests uint
        Maximum number of inflight requests handled by the proxy. No additional
        requests will not be answered after this threshold is met. Increasing
        this value can reduce latency in case of burst of requests but it can
        also increase significantly memory usage. (default 256)
  -max-ttl duration
        If set to greater than 0, defines the maximum TTL value that will be
        handed out to clients. The specified maximum TTL will be given to
        clients instead of the true TTL value if it is lower. The true TTL
        value is however kept in the cache to evaluate cache entries
        freshness. This is best used in conjunction with the cache to force
        clients not to rely on their own cache in order to pick up
        profile changes faster.
  -mdns string
        Enable mDNS to discover client information and serve mDNS learned names over DNS.
        Use "all" to listen on all interface or an interface name to limit mDNS on a
        specific network interface. Use "disabled" to disable mDNS altogether. (default "all")
  -profile value
        NextDNS custom profile id.

        The profile id can be prefixed with a condition that is match for
        each query:
        * 10.0.3.0/24=abcdef: A CIDR can be used to restrict a profile to
          a subnet.
        * 2001:0DB8::/64=abcdef: An IPv6 CIDR.
        * 00:1c:42:2e:60:4a=abcdef: A MAC address can be used to restrict
          profile to a specific host on the LAN.
        * eth0=abcdef: An interface name can be used to restrict a profile
          to all hosts behind this interface.

        This parameter can be repeated. The first match wins.
  -report-client-info
        Embed clients information with queries.
  -setup-router
        Automatically configure NextDNS for a router setup.
        Common types of router are detected to integrate gracefully. Changes
        applies are undone on daemon exit. The listen option is ignored when
        this option is used.
  -timeout duration
        Maximum duration allowed for a request before failing. (default 5s)
  -use-hosts
        Lookup /etc/hosts before sending queries to upstream resolver. (default true)

R P M

I tried

sudo nextdns config set -detect-captive-portals

but the captive portal with my public library wifi still doesn't work :(

R P M I'm not at the public library right now. but i don't think it's because the webpage is cached in browser history .Is there something I could paste here to let us investigate what's going on? Some terminal command I could run?

R P M  I don't know the IP address or DNS ip. When I'm at the public library. We can go to any website and it should redirect to a URL of the captive portal.

R P M 

I tried out sudo nextdns deactivate when connected to this public library's wifi. i then tried to log in. but it still gives the same error message.

On firefox:

    Hmm. We're having trouble finding that site.

    We can't connect to the server at captiveportal-login.[publiclibrarywebsite].com

On Chromium

    Your connection is not private.

    Attackers might be trying to steal your information from yahoo<dot>com)

    NET:ERR_CERT_COMMON_NAME_INVALID

    This server could not prove that it is yahoo<dot>com; its security certificate is from *.[publiclibrarywebsite].com. This may be caused by a misconfiguration or an attacker intercepting your connection.

(I put the dot in yahoo . com in brackets because this nextdns helpforum thinks it's spam otherwise)

When I click "Proceed anyway", I'm taken to this error message:

    This site can't be reached.

    Check if there's a typo in captiveportal-login.[publiclibrarywebsite].com

    DNS_PROBE_FINISHED_NXDOMAIN

R P M 

dig a captiveportal-login.librarywebsite.com
;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> a captiveportal-login.librarywebsite.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;captiveportal-login.librarywebsite.com.    IN    A

;; AUTHORITY SECTION:
librarywebsite.com. 86400 IN SOA lucy.librarywebsite.com. root.lucy.librarywebsite.com. 2024102101 10800 3600 3600000 86400

;; Query time: 22 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Nov 04 15:08:37 PST 2024
;; MSG SIZE  rcvd: 101

R P M

to bypass review, I changed ".io" to "DOT io".

~$ resolvectr status
Command 'resolvectr' not found, did you mean:
  command 'resolvectl' from deb systemd-resolved (255.4-1ubuntu8.4)
Try: sudo apt install <deb name>

~$ resolvectl status
Global
         Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
                    2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
45.90.30.0#compy-1c34c4.dns.nextdns DOT io
                    2a07:a8c1::#compy-1c34c4.dns.nextdns DOT io

Link 2 (wlp3s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 75.153.171.114
       DNS Servers: 75.153.176.1 75.153.171.114

R P M 

My previous post was when I was connected to a working wifi (not the problematic public-library wifi). In this post, I share the terminal printout when connected to the problematic public-library wifi:

 resolvectl status
Global
         Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
DNS Servers: 45.90.28.0#compy-1c34c4.dns.nextdns DOT io
                    2a07:a8c0::#compy-1c34c4.dns.nextdns DOT io
45.90.30.0#compy-1c34c4.dns.nextdns DOT io
                    2a07:a8c1::#compy-1c34c4.dns.nextdns DOT io

Link 2 (wlp3s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 207.194.177.177
       DNS Servers: 207.194.177.177

R P M 

thanks for your reply. Two points in response.

Point 1. Actually, I've been having this issue before I changed /etc/systemd/resolved.conf. I've had this issue for 2 weeks (since I created this thread).  I changed resolved.conf only a few days ago.  So I'm not sure how undoing resolved.conf will fix things.

Point 2: I'm not at the public library right now. I haven't commented the nextdns lines out yet from resolved.conf. I'm at home, and when I go to http s :// my . nextdns DOt io/, it does say

All good!

This device is using NextDNS with this profile.

R P M 

Without undoing CLI or resolved.conf (yet) I did this:

~$  resolvectl status
Global
         Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 45.90.30.0#compy-1c34c4.dns . nextdns . io
       DNS Servers: 45.90.28.0#compy-1c34c4.dns . nextdns . io
                    2a07:a8c0::#compy-1c34c4.dns . nextdns . io
                    45.90.30.0#compy-1c34c4.dns . nextdns . io
                    2a07:a8c1::#compy-1c34c4.dns . nextdns . io

Link 2 (wlp3s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 207.194.177.177
       DNS Servers: 207.194.177.177

~$ ping -c5 207.194.177.177
PING 207.194.177.177 (207.194.177.177) 56(84) bytes of data.

--- 207.194.177.177 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4126ms

In a private/incognito browser tab, I put 207.194.177.177 and hit Enter. After 10 seconds, it redirected to https:// captiveportal-login DOT publiclibrarysite DOT com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f3230372e3139342e3137372e3137372f.

The window has the text:

Hmm. We’re having trouble finding that site.

We can’t connect to the server at captiveportal-login . publiclibrarysite dot com

If you entered the right address, you can:

    Try again later
    Check your network connection
    Check that Firefox has permission to access the web (you might be connected but behind a firewall)

R P M 

After my reply of 5 minutes ago (https://help.nextdns.io/t/m1yzty4?r=35yzjsj), I have just commented-out the nextdns-related lines from my resolved.conf file

Ready to do whatever steps we need.

R P M I have live usb, i believe.

So just to check... can't I just create a new administrator account on my Linux Mint? Is that not a good enough solution?

R P M I haven't tried the Live Mint USB in library.

Just thought I'd share a data point. I'm on transit which offers free wifi. It has a captive portal and my Linux Mint laptop was able to see the captive portal. I put a check mark in the "Agree to these Terms and conditions" button and clicked Submit and now I'm connected to the transit's wifi.