Today, Hotspot Walled Garden use DNS cache to pass all request to IP resolved from DNS, when HTTPS request is made.
Google and Facebook use same servers for many services. Put Facebook/Google API com Walled garden is same to put all services.

And is important option to disable actual DNS use for Walled Garden when SNI is enable.

Using SNI connection per connections need be validated, increasing CPU process.

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.

SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.

daniel

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.

SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.

daniel

Thanks for clarifying that

SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.

IMHO trickling with DNS is more universal and does not require actual traffic to be inspected - just redirect DNS req to a policy based (even centralised) DNS server.
there is an option available in dnsmasq and dnrd to include client mac-address (or a hashed version of that to provide some confidentiality) in the EDNS0 field, so you can have at the end per device granularity.

of course it lacks of in-depth URL visibility but at least this is a quick and easy way to take control over client requests. not to mention that it has better visibility than SNI as one cert may cover multiple FQDNs, where one A or AAAA record is likely to identify one. also it works with IPv6 as well and with non-HTTP protocols like quic.