Requesting http://1.1.1.1 yields a webserver’s response containing a 302 or some javascript redirect to http://captiveportal.somehotel.org/blafoo or https://captiveportal.somehotel.org/blafoo. Looks like an intercepting transparent webproxy.
You are correct, requesting http://neverssl.com can’t work unless I hard-code this domain name in captive-portals.txt.
However, a dig captiveportal.somehotel.org +short on an uplink qube (sys-firewall, AppVMs) doesn’t work / times out. That’s why I believe the iptables DNAT rule (as described here) doesn’t work. The next time I have to deal with a captive portal I will look into that again.
Thanks, you got a point there.