Captive portals typically only capture A records, but custom servers like iodine will return results for any request type if the request starts with 'z'. As long as the captive portal supports unauthed recursing (which 99% of them do), you can still tunnel IP over DNS.
Almost all captive portals simply use MAC addresses for auth, so in practice it's much easier to spoof a host's MAC/IP and piggyback their authed session. IP over DNS is more useful for things like mobile providers where it's harder to spoof hardware identifiers, or networks that allow outbound DNS or have a DNS recursing resolver.
Somebody mentioned something about assuming networks that have deep packet inspection (really, it's almost always just application proxies on common ports) might not allow outbound DNS. Don't ever assume that the person who set up the network was smart, or that they didn't leave a hole for backwards compatibility with some legacy application. Almost all consumer-oriented networks have some hole you can use to get out to the internet.
Almost all captive portals simply use MAC addresses for auth, so in practice it's much easier to spoof a host's MAC/IP and piggyback their authed session. IP over DNS is more useful for things like mobile providers where it's harder to spoof hardware identifiers, or networks that allow outbound DNS or have a DNS recursing resolver.
Somebody mentioned something about assuming networks that have deep packet inspection (really, it's almost always just application proxies on common ports) might not allow outbound DNS. Don't ever assume that the person who set up the network was smart, or that they didn't leave a hole for backwards compatibility with some legacy application. Almost all consumer-oriented networks have some hole you can use to get out to the internet.