detekce captiv portálu
There is more than one way to implement a captive portal.
A common method is to direct all web traffic to a web server, which returns an HTTP redirect to a captive portal.  When a modern, internet-enabled device first connects to a network, it sends out an HTTP request and expects an HTTP status code of 204. If the device receives a HTTP 204 status code, it assumes it has unlimited internet access. Captive portal prompts are displayed when you are able to manipulate this first HTTP message to return a HTTP status code of 302 (redirect) to the captive portal of your choice.
Client traffic can also be redirected using ICMP redirect on the layer 3 level.
Redirect by DNS
When a client requests a website, DNS is queried by the browser. In a captive portal, the firewall will make sure that only the DNS server(s) provided by the network’s DHCP can be used by unauthenticated clients (or, alternatively, it will forward all DNS requests by unauthenticated clients to that DNS server). This DNS server will return the IP address of the captive portal page as a result of all DNS lookups.
In order to perform redirection by DNS the captive portal uses DNS hijacking to perform an action similar to a man-in-the-middle attack. To limit the impact of DNS poisoning, a TTL of 0 is typically used.
Android Captive Portal Detection
Apple iPhone, iPad with iOS 6 Captive Portal Detection
Apple iPhone, iPad with iOS 7, 8, 9 and recent versions of OS X