DNS-address of captive portal doesn't get resolved properly (phone THINKS there is no internet)

Apps & Core Settings
1

I constantly get notifications that there’s no internet on my WLAN-network, while I can use it perfectly fine. The Problem is, if mobile data is enabled too, it will use that instead. This is a costly issue because it recently burnt all my 30GB of mobile data volume while being on WLAN.

I did some digging and I think I narrowed the problem down to kuketz.de’s IP, not being updated on Cloudflares DNS-server. I tried to manually resolve the address and found that kuketz.de might have a malformed signature that potentially gets rejected from Cloudflare (but not Google). Here are the results:

Cloudflare

❯ dig @1.1.1.1 kuketz.de

; <<>> DiG 9.20.21 <<>> @1.1.1.1 kuketz.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41525
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority)
;; QUESTION SECTION:
;kuketz.de.			IN	A

;; Query time: 251 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Mar 28 05:00:30 CET 2026
;; MSG SIZE  rcvd: 44

Google

❯ dig @8.8.8.8 kuketz.de

; <<>> DiG 9.20.21 <<>> @8.8.8.8 kuketz.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5100
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for kuketz.de/dnskey (keytag=61012))
;; QUESTION SECTION:
;kuketz.de.			IN	A

;; ANSWER SECTION:
kuketz.de.		21600	IN	A	46.38.242.112

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sat Mar 28 05:00:35 CET 2026
;; MSG SIZE  rcvd: 132

I am not experienced with this stuff, so take this with a grain of salt. But to me, this theory makes sense.

I have issues with this captive-portal for years now, if there is an easy way to change it back to google or any other portal, please let me know because I have to pay real money to recharge the datavolume this issues has drained, so I am over it this time, unless a fix is in sight!

1 Like
2

I have had issues with captiveportal.kuketz.de the past few weeks too, I was trying to sort out if it was my firewall or a broader issue (I kept forgetting to check wifi outside my main environment), but in the meantime just disabled “System Settings > Network & internet > Connectivity Check” :slight_smile:

The other iodé team members in France and Spain didn’t report any issues like I was having (in the USA), I think you got it right @Switch with your diagnosis.

UPDATE: I rechecked and it is working now. whois reports this:

Domain: kuketz.de
Nserver: root-dns.netcup.net
Nserver: second-dns.netcup.net
Nserver: third-dns.netcup.net
Status: connect
Changed: 2026-03-30T09:50:30+02:00

So they must have just solved things today :slight_smile:

I believe I asked earlier if there was a possibility if the connectivity check server could be user configured, but I don’t recall any answer, I may need to inquire again :slight_smile:

Fuller dig:

$ dig captiveportal.kuketz.de

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> captiveportal.kuketz.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59113
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;captiveportal.kuketz.de.	IN	A

;; ANSWER SECTION:
captiveportal.kuketz.de. 6928	IN	A	46.38.242.112

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Mar 30 10:47:46 CDT 2026
;; MSG SIZE  rcvd: 68
1 Like
3

Thank you! I was starting to feel like I am crazy with no one else reporting these kind of issues I am experiencing. :smiley:

Since I reported it, it swayed from working to not working and back several times. On average the issue comes up every 48h and is resolved after 24h (at least recently). So 50% of the time it doesn’t work. At the time of posting this, it is working.

What is interesting, whenever Cloudflare works, Google doesn’t report the error with the signature. Which means it must be an issues on Kuketz side that affects both providers, they just handle it differently. Google accepts the IP but reports DNSSEC Bogus, Cloudflare on the other hand seemingly rejects it outright No Reachable Authority. Now that Cloudflare works, the errors from both providers are gone.

Cloudflare

❯ dig @1.1.1.1 kuketz.de
(...)
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kuketz.de.			IN	A

;; ANSWER SECTION:
kuketz.de.		86400	IN	A	46.38.242.112
(...)

Google

~
❯ dig @8.8.8.8 kuketz.de
(...)
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;kuketz.de.			IN	A

;; ANSWER SECTION:
kuketz.de.		21600	IN	A	46.38.242.112
(...)

I guess the reason why this issues drives me nuts for years (and not others) is that no one uses cloudflares DNS server all the time, like I do :smiley: Mike Kuketz seems to be a pretty busy guy, maybe someone from the iode Team can contact him (instead of me) to have bit of leverage?