I'm experimenting with NextDNS, and I noticed that my PC is making hundreds of requests an hour to captive.apple.com. Currently 40% of my DNS queries are to apple.com.
I understand this is a feature to detect if the computer is connected to a captive portal. However, it's not connected to a captive portal, it's connected to my home network and DNS requests, including requests to captive.apple.com are resolving.
Even if I connect to a VPN that has its own DNS settings, the OS continues to send these captive.apple.com requests to the DNS server specified in the Network preferences (although other requests go via the VPN).
I tried disabling com.apple.captive.control from this answer, however the requests are still being sent. I disabled my network connection for a while to confirm my computer was the source of the requests, and the requests stopped appearing in the logs. They reappeared again when I re-enabled my connection.
NextDNS has a quota, and these DNS requests are going to use the majority of the quota.
Why is my computer making so many requests to captive.apple.com, is it normal, and is there a way to stop it?
I'm on OSX 10.15.7.
Best Answer
I analysed the traffic with
tcpdump -k port 53(suggested by this Reddit thread), and it turns out it wasexpressvpnd, part of Express VPN.That was surprising, because I didn't have Express VPN client running, but it appears to set up a demon that sends DNS queries to
captive.apple.comandwww.mb6gpu84.comeven when the app is not running.I removed
expressvpndand killed the process, and the requests stopped.