In this article
This article explains how the DNSFilter Roaming Client works with captive portals (e.g., airport, hotel, or coffee shop Wi-Fi login pages) and provides troubleshooting tips if the portal doesn’t load or connect.
Version 2.3.8 of the macOS Roaming Client introduced Travel Wi-Fi Mode, a feature that helps macOS devices load captive portals on networks such as airplanes, hotels, and airports while maintaining DNS protection. We recommend testing this agent version feature to resolve captive portal issues.
- Normal Behavior: In most cases, no action is needed. The Roaming Client automatically opens the captive portal login window
- Standards: Captive portals are covered under RFC 8908, though implementation varies
-
Potential Issues:
- Some networks (commonly hotels or airlines) allow DNS through before login. In these cases, the agent may not trigger the portal
- The Roaming Client can redirect DNS away from the network’s DHCP server, preventing the HTTP redirection to the login page
- This may leave users unable to access the captive portal or connect to the internet
- We recommend testing agent version 2.3.8's Travel Wi-Fi Mode to resolve connection issues
Captive Portal login page doesn't appear automatically
Sometimes the login page for the captive portal doesn't appear automatically.
If working with agent version 2.2.0 or older, try these troubleshooting steps to resolve the issue. Any of these methods can prompt the captive portal login window to open, but we recommend trying to in order when applicable:
- Disable any active VPN
- Re-establish the network connection
- Remove/forget the network
- Turn off and on the device's Wi-Fi
- Re-add the network
- Reopen a browser window and browse to any domain (e.g. https://www.dnsfilter.com/)
- Disable Wi-Fi automations Ask to Join Networks and/or Ask to Join Hotspots
🚨 Important: If these settings are used at home or work, turn them back on once you’re done traveling. Disabling them can prevent auto-joining trusted networks.
- Remove unknown Wi-Fi networks from the device
- Restart the device
- Open the DNSFilter status menu icon and select Access Captive Network
Add domain suffix to Local Domains
If there are issues connecting to the network, adding the domain suffix to the Local Domains list on the DNSFilter dashboard will resolve this issue.
Agent v1.8.6 and older. Add IPs for local resolvers that are not public DNS servers (like Google's 8.8.8.8). Add IPs for the DNS server provided by DHCP.
Agent v2.2.0 - v2.3.0. Adding a public DNS server like Google's 8.8.8.8 can help trigger the captive portal for some Wi-Fi sources.
Agent v2.3.8 or higher. Enable Travel Wi-Fi Mode to adjust DNS resolution to allow captive portal access. Adding domains suffixes to Local Domains is not necessary for Travel Wi-Fi Mode to work.
If you add known airline or hotel portals to your Local Domains and Resolvers list before the user travels in advance, this can prevent this issue from arising.
Captive Portal List
We comprised this list of domains used for hotels or airline Wi-Fi which can be added to your Local Domains. This may not be a complete list, as this is a work-in-progress.
🚨Important: Many airlines and hotels provide Wi-Fi services through Viasat, which is a known conflict with our Roaming Client. We recommend adding their common domains for any Organization with frequent travel.
- viasat.com
- portal.viasat.com
- wifi.viasat.com
- airborne.gogoinflight.com
- airbornet.gogoinflight.com
- edge.viasat.com
- viasatwifi.com
Airlines & Transportation
| Air France | connect.airfrance.com |
| Alaska Airlines | alaskawifi.com |
| American Airlines | aainflight.com |
| Amtrak | amtrakconnect.com |
| Breeze Airways | breezewifi.com |
| Calgary Airport | login.yyc.com |
| Delta Airlines | deltawifi.com |
| Denver Airport | login.attwifi.com |
| JetBlue Airlines | flyfi.com |
| Multiple Airlines | gogoinflight.com |
| via.boingohotspot.net | |
| Southwest Airlines | southwestwifi.com |
| United Airlines | guestwifi.united.com |
| wifi.united.com | |
| unitedwifi.com | |
| Virgin Atlantic | virgin-atlantic-wifi.com |
Hotels
| Hilton Hotels | secure.guestinternet.com |
| Hilton Dana Point Hotel | snap.selectnetworx.com |
| Hyatt Hotels | globalsuite.net |
| bap.aws.opennetworkexchange.net | |
| Marriott Hotels | marriott.com |
| cloud5.com | |
| Montage Hotels | splash.skyadmin.io |
| Multiple Hotels | hotelwifi.com |
| registerforhsia.com | |
| danmagi.com | |
| redwoodsystemsgroup.com |
Miscellaneous Connectivity Checks
| Comcast Xfinity Hotspots | xfinity.com/wifi |
| Apple devices | captive.apple.com |
|
Google |
connectivitycheck.gstatic.com |
| clients3.google.com | |
|
Microsoft |
msftncsi.com |
| msftconnecttest.com | |
| Independent Community Project | neverssl.com |
Comments
9 comments
Please add the captive portal for Delta, DeltaWiFi.com, to this list.
Source: https://www.delta.com/us/en/onboard/inflight-entertainment/onboard-wifi (Step 3)
Thanks for the suggestion, Brian Zick —added to the list!
Thank you!
Please add captive.apple.com for Apple devices.
Thanks for the suggestion, Amanda Hunt —added to the list!
How about removing the hyperlink from the local domains so we don't accidentally click through while trying to copy.
Great suggestion, Karik Hill ! Thanks for helping make our documentation better 💖
Thank you for this list!
We have a client end-user who is traveling and discovered they can't connect to the Hilton URL “secure.guestinternet.com”. Will adding the URL to the Allow List of their assigned filter policy function the same way as adding it to the Local Domains? And will they need to connect to a different internet to pull down the new setting changes before it will start working?
Hi Kyle Murphy thanks for reaching out!
Adding "secure.guestinternet.com" to the Allow List is not the same as adding it to Local Domains. The Allow List lets DNS traffic to that domain through DNSFilter, but Local Domains ensures DNS queries for that domain are handled by the local network’s DNS (often needed for captive portals like Hilton’s).
We recommend following this article's suggestions in order. Start by having the user:
If none of these local steps work, add "secure.guestinternet.com" as a Local Domain in the DNSFilter dashboard. This allows the device to bypass DNSFilter to reach the captive portal login properly.
If the user is already unable to connect, they may need to join another network temporarily to sync the updated Local Domains setting with their Roaming Client. After syncing, they can reconnect to the Hilton Wi-Fi.
Let us know if the issue persists and we can look into some different troubleshooting steps!
Please sign in to leave a comment.