Here are two issues I encountered with the “Boingo Hotspot” Wi-Fi network offered at some US airports. I’m writing it down here because this was an issue last year, and I’m sure will continue to be a problem in 2026 when I come back unless they actually fix their broken captive portal implementation.
I’m using DNS-over-TLS with systemd-resolved, and when I connected to the free
network in O’Hare, I noticed that DNS resolution requests were timing out with
dig. The issue? Boingo Hotspot blocks DNS-over-TLS/HTTPS and only allows querying
through the standard DNS port of 53.
So, if your /etc/systemd/resolved.conf (or /etc/systemd/resolved.conf.d/dns-over-tls.conf)
looks something like this:
# ...
[Resolve]
# ...
DNS=1.1.1.1#one.one.one.one
DNSOverTLS=yes
Domains=~.
# ...Then you’ll get the following message when you try to dig for domains:
$ dig google.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed outThe fix? Disable DNS-over-TLS. You can modify the configuration file, but that disables DNS-over-TLS for all connections. Instead, blacklist the specific Boingo Hotspot SSID through (assuming you are using):
$ nmcli connection show
$ nmcli connection modify _Free_ORD_Wi-Fi connection.dns-over-tls 00 means disable, 1 means opportunistically enable, and 2 means enable.
Now, you can verify that DNS-over-TLS was disabled by running systemd-resolve --status,
which should result in something like the following output:
$ systemd-resolve --status
Global
Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/unsupported
...
Link 3 (wlan0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 100.109.0.31
DNS Servers: 100.109.0.32 100.109.0.31
Default Route: yes
...Notice the - in front of DNSOverTLS.
With that, I fixed DNS resolutions, but I still couldn’t get any Internet access. And that’s because
This is more of a general tip, as I’m not aware of any captive portal implementation that can DNS hijack something like google.com. To work around this problem, most OSes and browser companies use a dedicated HTTP URL for checking connectivity, but this can sometimes fail. And with HSTS becoming more and more prevalent, it’s hard to find a website that will let you downgrade to HTTP.
The solution is to visit neverssl.com, which will hopefully redirect you to the captive portal.
I still don’t understand why businesses insist on using captive portals. Sure, you get the ad revenue, but this is such a terrible user experience.