If DNS over TLS is enforced, we should try to pass captive portal without it ever lowering down. If we know names required to access captive portal (Network Manager should be able to expose that), we can direct only that name(s) to local network connection.
The same would of course apply to any other encrypted protocols. Even for manually specified unencrypted resolvers, which are not using those offered by the network.
The only danger is connection might be able to provide bogus answers for a domain, which is not really owned by captive portal operator.
Interesting fact were requested on https://discussion.fedoraproject.org/t/is-there-a-recommended-way-to-set-custom-dns-over-tls-https-servers-globally-that-will-not-break-captive-portal-logins/90147
If DNS over TLS is enforced, we should try to pass captive portal without it ever lowering down. If we know names required to access captive portal (Network Manager should be able to expose that), we can direct only that name(s) to local network connection.
The same would of course apply to any other encrypted protocols. Even for manually specified unencrypted resolvers, which are not using those offered by the network.
The only danger is connection might be able to provide bogus answers for a domain, which is not really owned by captive portal operator.