Skip to content

[Security] DNS queries allowed to any IP on port 53 (data exfiltration risk) #9

New issue
New issue
Open
Open
[Security] DNS queries allowed to any IP on port 53 (data exfiltration risk)#9
Labels
bugSomething isn't working
@Mossaka

Description

@Mossaka
Mossaka
opened on Oct 24, 2025

Priority

High

Description

The firewall currently allows DNS queries (port 53) to ANY IP address, not just the configured DNS servers. This creates a data exfiltration vector.

Current behavior

  • host-iptables.ts:181-192 allows UDP/TCP port 53 to any destination
  • An attacker could send data to evil-dns-server.com:53 even if that domain isn't in the allowlist
  • The --dns-servers flag is documented but not enforced in the host-level filtering rules

Expected behavior

  • DNS queries should only be allowed to explicitly allowlisted DNS server IPs
  • Default: 8.8.8.8 and 8.8.4.4
  • User-configurable via --dns-servers flag

Code locations

  • src/host-iptables.ts:181-192 - Need to restrict by destination IP
  • src/host-iptables.ts:setupHostIptables() - Add dnsServers parameter
  • src/cli.ts - Pass DNS server IPs to setupHostIptables()

Suggested fix

// Instead of allowing port 53 to any IP:
for (const dnsServer of dnsServers) {
  await execa('iptables', [
    '-t', 'filter', '-A', chainName,
    '-p', 'udp', '-d', dnsServer, '--dport', '53',
    '-j', 'ACCEPT',
  ]);
  // Same for TCP
}

Related documentation

  • CLAUDE.md:226-253 documents DNS allowlisting but implementation is incomplete

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions