NetworkManager, systemd-resolved and DNS-over-TLS boarded a Deutsche Bahn train - Could not login to the WiFi to see the punchline

The Scenario

You board your ICE train, open your laptop, you connect to the WIFIonICE network, but the login page at login.wifionice.de or portal.wifi.bahn.de never loads. You're stuck in a digital limbo, so close to connectivity yet so far.

The Problem: A DNS Mismatch

The issue boils down to a simple conflict. Your system, configured with secure DNS, tries to find the login portal's address by asking your custom DNS provider (e.g., NextDNS) out on the public internet.

The problem is, the address for login.wifionice.de isn't on the public internet. It exists only within the train's local network. The train's own DNS server knows where it is, but your system is configured to bypass that local server entirely for security reasons. The result? Your browser's request for the login page goes nowhere, and the captive portal fails to appear.

The Solution: A Quick Fix with NetworkManager

Thankfully, you don't have to disable your secure DNS setup every time you board a train. Using nmcli (NetworkManager command-line interface), you can create a specific rule for the ICE Wi-Fi network that allows it to work without compromising your settings for all other networks.

Step 1: Connect to the Train's Wi-Fi

First, connect to the WIFIonICE network as you normally would.

Step 2: Open a Terminal

Open your terminal application.

Step 3: Run the Magic Commands

Run the following commands in your terminal. This tells NetworkManager to be more flexible with DNS on this specific network and to consult the train's local DNS for the login portal domains.

# Set the connection name variable
CONNECTION_NAME="WIFIonICE"

# Tell NetworkManager to use DoT only when the network supports it
nmcli connection modify "${CONNECTION_NAME}" connection.dns-over-tls opportunistic

# Force the use of the network's DNS for the portal domains (IPv4)
nmcli connection modify "${CONNECTION_NAME}" ipv4.dns-search "bahn.de,iceportal.de,wifionice.de"

# Force the use of the network's DNS for the portal domains (IPv6)
nmcli connection modify "${CONNECTION_NAME}" ipv6.dns-search "bahn.de,iceportal.de,wifionice.de"

Step 4: Reconnect to the Network

To apply the changes, run the following commands to disconnect and reconnect to the network:

nmcli connection down "${CONNECTION_NAME}"
nmcli connection up "${CONNECTION_NAME}"

The captive portal login page should now appear, allowing you to accept the terms and get online.

Step 5: Verify the Changes (Optional)

If you're curious to see the changes in action, you can run the resolvectl command. This will show you the current DNS settings for your network connections.

resolvectl

Look for the entry corresponding to your Wi-Fi connection (e.g., Link 3 (wlp1s0)). The output should look similar to this, confirming that your changes have been applied:

Link 3 (wlp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
          Protocols: +DefaultRoute LLMNR=resolve +mDNS DNSOverTLS=opportunistic DNSSEC=no/unsupported
Current DNS Server: 172.18.0.1
        DNS Servers: 172.18.0.1
         DNS Domain: bahn.de iceportal.de wifionice.de
      Default Route: yes

Notice how DNSOverTLS is set to opportunistic and the DNS Domain list includes the specific portal domains. This confirms your system is now correctly configured for the train's network.

This is a one-time fix. NetworkManager will remember these settings for the WIFIonICE connection, so you won't have to repeat this process on your next trip. Your default DNS-over-TLS settings will continue to protect you on all other networks.

Happy travels and happy browsing!