This doesn't work for many hotel paywalls, because they would have a catch-all rule for all DNS A queries (resolving to a local IP of authenticating proxy) and block everything else. And the reason is exactly because of the DNS tunneling, which was making rounds in p2p circles as far back as 2005 if not earlier.
Doesn't this cause issues with cached bogus A records once the user pays and is granted access? I suppose you could return really short TTLs, but there would still be a delay of at least a few seconds.
(I'm not doubting they do this, just saying it seems very hacky...)
Yes, it does, and of course fails if the site called is https. AFAIK some implementations work as a proxy after successful authentication to reduce that problem.
Other solutions use proxy configuration detection to redirect people to a proxy that first asks for authentication/payment. (wpad file)
Both solutions are kind of hacky, but they work for more or less all devices.
This doesn't work for many hotel paywalls, because they would have a catch-all rule for all DNS A queries (resolving to a local IP of authenticating proxy) and block everything else. And the reason is exactly because of the DNS tunneling, which was making rounds in p2p circles as far back as 2005 if not earlier.