Hotspot login - captive.apple.com

[jeffhuen]

Is there a way for the https over dns to bypass certain links? Seems the certain captive.apple.com hotpot login pages do not load when dns over https is active. However - once logged in - I found that I can reactivate https over dns and continue browsing over the hotspot. Just can’t use to connect on the hotspot landing page.

[ghost]

@jeffhuen it's simple tell me what server you use i will do a mobileconfig and push it for ya (on wormhole.app) like that you can download it, check it (because i not advise you to trust blindly on internet) and install it.

[ghost]

@jeffhuen if you prefer do it yourself check on "evaluate connection - action parameter" in apple docs of secure dns.

[nasiralamreeki]

@paulmillr anyway this can be addressed?

[paulmillr]

I don't know and I am not really apple tech support, sorry

[logopk]

I will try this tonight:

https://stackoverflow.com/questions/64053593/ios-14-mobileconfig-dns-over-https-with-dnsdomainmatch-whitelist-support https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement

This may also be helpful if your (private) doh server goes offline. No need to reconfigure or disable DoH

[michaeldavie]

I fixed this on my own profile by adding a rule to the OnDemandRules key. The URLStringProbe rule requests http://neverssl.com in order to detect if there's a captive portal present.

The DNS profile will only be activated if the probe returns an HTTP 200 response without a redirection. When the device is connected to a captive portal this probe will fail, the DNS profile will not be activated, and the portal login page will load using the network's DNS settings. Once the device is authenticated on the portal, the probe will succeed and the profile will be activated as usual.

I've tested this successfully with a single network (Starbucks) and would appreciate others trying it out as well. The amended section is below, and the full profile I use (with the SSID missing) is at https://gist.github.com/michaeldavie/d78e3fa6268c88c4ead093f757016309.

Edit: Modified the rules to:

1. Disconnect on my home SSID, where I have a local DNS server
2. Connect on cellular
3. Connect if NeverSSL is reachable.

This should limit the load on NeverSSL to only when I'm connected to a non-home wifi network.

        <key>OnDemandRules</key>
        <array>
          <dict>
            <key>Action</key>
            <string>Disconnect</string>
            <key>SSIDMatch</key>
            <array>
              <string>*****HOME SSID*****</string>
            </array>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
            <key>InterfaceTypeMatch</key>
            <string>Cellular</string>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
            <key>URLStringProbe</key>
            <string>http://neverssl.com</string>
          </dict>
        </array>

[nasiralamreeki]

@paulmillr can @michaeldavie fix be added for profiles? This solves the captive portal issue for me and I've tested it at other than Starbucks and it just works.

[paulmillr]

Yeah, i'd be glad to accept the pull request, with a few changes:

1. Change url to http://captive.apple.com/hotspot-detect.html which is the apple's official one
2. No home ssid

[nasiralamreeki]

@michaeldavie can you make pull requests on all the profiles with the changes @paulmillr mentions above?

[nasiralamreeki]

@paulmillr can the PR be reviewed?

[florisbrunet]

I made a report to Apple about captive portals no working when using an encrypted DNS profile on October 1st 2021. It was strange, as this was an advertised feature at WWDC, but the complete opposite seemed to be true. This week I received a reply from Apple engineering that the issue has supposedly been fixed in iOS 15.5 Release (19F77). After testing I can confirm that encrypted DNS profiles indeed work again with captive portals, also without the OnDemandRules directive/workaround suggested by @michaeldavie. This seems redundant now.

I also noticed that InterfaceTypeMatch for Cellular was added. This also seems redundant to me as well as by default the profile will be enabled on all interfaces. I tried removing this and the encrypted DNS still functioned on cellular data (and Wi-Fi).

[paulmillr]

Thanks @debrunet !

[meluvalli]

Sorry to reply to an older post, but I am also trying to get this to work with captive portals. How do you do it? I tried adding:

        <key>OnDemandRules</key>
        <array>
          <dict>
            <key>Action</key>
            <string>Disconnect</string>
            <key>SSIDMatch</key>
            <array>
              <string>MYSSID1</string>
              <string>MYSSID2</string>
            </array>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
            <key>InterfaceTypeMatch</key>
            <string>Cellular</string>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
            <key>URLStringProbe</key>
            <string>http://captive.apple.com/hotspot-detect.html</string>
          </dict>
        </array>

However, this still isn't working. I can't even get it to disconnect on my wifi and connect on all others! These rules are just flat out ignored! @debrunet Said it was fixed in 15.5 and this is what I'm running.

[paulmillr]

Ios 15.5 fixes captive portals for me even without any additional rules

[meluvalli]

Yah. I realized after I sent that, you don't need rules for the captive. But the other rules aren't working at all. I can't use the config on my local network, because then I can't access my local dns :(