The captive portals I've seen don't tamper with HTTP headers at all, or were you referring to IP headers? As for DNS, I don't think there's any safe way to avoid providing unauthenticated hosts with working DNS.
I may be getting things confused here, but I usually see captive portals do HTTP redirection (looking from a sniffer). That would involve tampering with the headers, correct?
Just IP NAT on the dest address sending you to the portal server. So actually they do tamper with headers, but only IP headers. You don't actually get any traffic to the real site until after your machine has been exempted from the NAT rule (and presumably a drop rule for non-HTTP traffic). There's an open source captive portal called NoCat that you can poke at if you ever want to set one up yourself.
