>Apple has designed the ios devices in such a way that whenever you connect your iphone to a captive portal designed wifi network they bring it to your notice by popping up a tiny browser that you have to authenticate to get on internet.
>How does this work on the background?
155.726863 192.168.242.85 -> 192.168.242.15 DNS Standard query A captive.apple.com
155.901921 192.168.242.15 -> 192.168.242.85 DNS Standard query response CNAME captive.apple.com.edgekey.net CNAME e7279.dsce9.akamaiedge.net A 188.8.131.52
155.929087 192.168.242.85 -> 184.108.40.206 TCP 65431 > http [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1416 WS=5 TSV=760100837 TSER=0 SACK_PERM=1
155.930144 220.127.116.11 -> 192.168.242.85 TCP http > 65431 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSV=8650997 TSER=760100837 WS=0
>Once the devices gets a IP address the iphone tries to send traffic to captive.apple.com and if gets any reply the device knows that the user have already authenticated.
>If the device not able to reach the captive.apple.com then it understands that there is a captive portal to authenticate further.
>In this sample capture the device gets a response from 18.104.22.168 , he know that it does has internet access and CNA is not required.