January 13, 2026

When the phonebook snitches

Article URL →HN comments →

Data Exfiltration via DNS Resolution

Sandbox “phonebook” leak sparks bug-vs-user-error brawl

TLDR: A GitHub report claims a sandbox setting lets data sneak out through DNS lookups, even when other network rules are tight. The community is split between calling it a serious leak needing safer defaults and blaming misconfiguration, with jokes about the internet’s “phonebook” snitching flying everywhere.

One GitHub issue just turned the internet’s phonebook into the bad guy. In this report, a user shows that flipping a sandbox switch called “allowLocalBinding” can let secrets slip via DNS—the simple lookup that turns names into numbers. By asking for a made‑up hostname stuffed with your data, those details get bounced to an attacker’s server. Cue panic: is the sandbox leaking even when network rules say “no”?

Commenters split fast. The “lock it down” crowd calls it a silent escape hatch, arguing defaults should block DNS entirely and that “allowed domains” must cover lookups, not just connections. Others clap back: misconfiguration is not a vulnerability, saying if you turn on the power, expect the lights. Proposals flew: force a safe, internal DNS; intercept lookups inside the sandbox; or throw a giant warning when DNS is still open.

Humor, of course, sprinted in. One top gag: “my SSH key just took an Uber through DNS.” Another: “congrats, you built a firewall with a mail slot.” Memes of the “This Is Fine” dog in a burning server room flooded replies while devs battled over whether this is a bug, a feature, or a cautionary tale for dangerous defaults.

Key Points

  • A GitHub issue reports DNS-based data exfiltration in sandbox-runtime when allowLocalBinding is true.
  • Settings with empty allowedDomains and deniedDomains failed to block a dig query to a non-allowed domain.
  • Attackers can use NS delegation for a subdomain so resolvers send queries to their DNS servers.
  • The demonstration shows an A record query containing sensitive data reaching attacker-controlled DNS.
  • The reporter asserts any sandbox allowing local port binding may be vulnerable to DNS exfiltration.

Hottest takes

"Congrats, you built a firewall with a mail slot" — @packetPanic
"If DNS works, data walks. Block it or own it" — @secDad
"This isn’t a vuln, it’s a tutorial on why defaults matter" — @configCactus

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.