Whitelist captive.apple.com to prevent breaking iPhone access
Currently, when our students with iPhones try to connect to our Student Wireless network (filtered with GoGuardian DNS) they immediately get an error message saying that they are not connected to the internet and need to sign in.
At that point the phone tries to open a "sign in page" to let the user sign in and they just see a GoGuardian DNS block page instead. Students then (understandably) think that they have been blocked from the network and won't be able to access any sites.
What's happening is that the iPhone's captive portal detection works by trying to access https://captive.apple.com and if that request gives back anything other than "Success" the iPhone assumes that the network has a captive portal, and tries to help the user log in by presenting them with the page that https://captive.apple.com was redirected to, assuming that said page will be a login page that they can use to gain full access.
The reason that https://captive.apple.com is blocked on our network is that we block the e-commerce category, and thus all of apple.com is blocked.
Please find a list of all of the domains that apple/google/whoever use as tests for captive portals and whitelist them for all GoGuardian DNS users.
I manually whitelisted captive.apple.com and that seems to have solved the problem for us, for now.
Danny P commented
If anyone stumbles into this same problem, for us, the issue was the MUSIC and ENTERTAINMENT categories. Despite numerous attempts to whitelist captive.apple.com and any and all subdomains, the categories of Music and Entertainment were prioritized over the URL. Once we turned off Music and Entertainment Categories, the issues went away. This is not a solution, as we would like to still have Music and Entertainment blocked, but at least our iPads work now.