Yes in the case of Bluecoat for example, which also is used to setup paywalls sometimes, you hijack all HTTP/HTTPS traffic and redirect it to the bluecoat server. So DNS goes through and when the portal is submit nothing is done to permit DNS traffic in any type of firewall.
