fix: restore DNS forwarding rules in DOCKER-USER chain

Docker's embedded DNS (127.0.0.11) forwards queries to upstream servers
through the container's network interface, which traverses the Docker
bridge and DOCKER-USER chain. The previous commit incorrectly assumed
Docker DNS bypasses container iptables entirely, but the DNS proxy
runs within the container's network namespace. Without DNS ACCEPT rules
in DOCKER-USER, forwarded queries are blocked, causing SERVFAIL.

Add UDP/TCP port 53 ACCEPT rules for configured upstream DNS servers
in the AWF_EGRESS chain, while keeping the simplified model where
containers can only use Docker embedded DNS (no direct external DNS).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

src/cli-workflow.ts

@@ -2,7 +2,7 @@ import { WrapperConfig } from './types';
 
 export interface WorkflowDependencies {
   ensureFirewallNetwork: () => Promise<{ squidIp: string; agentIp: string; proxyIp: string; subnet: string }>;
-  setupHostIptables: (squidIp: string, port: number, apiProxyIp?: string) => Promise<void>;
+  setupHostIptables: (squidIp: string, port: number, apiProxyIp?: string, dnsServers?: string[]) => Promise<void>;
   writeConfigs: (config: WrapperConfig) => Promise<void>;
   startContainers: (workDir: string, allowedDomains: string[], proxyLogsDir?: string, skipPull?: boolean) => Promise<void>;
   runAgentCommand: (
@@ -46,7 +46,7 @@ export async function runMainWorkflow(
   // When API proxy is enabled, allow agent→sidecar traffic at the host level.
   // The sidecar itself routes through Squid, so domain whitelisting is still enforced.
   const apiProxyIp = config.enableApiProxy ? networkConfig.proxyIp : undefined;
-  await dependencies.setupHostIptables(networkConfig.squidIp, 3128, apiProxyIp);
+  await dependencies.setupHostIptables(networkConfig.squidIp, 3128, apiProxyIp, config.dnsServers);
   onHostIptablesSetup?.();
 
   // Step 1: Write configuration files

src/host-iptables.test.ts

@@ -143,8 +143,12 @@ describe('host-iptables', () => {
         '-j', 'ACCEPT',
       ]);
 
-      // Verify no DNS-specific rules (simplified model uses Docker embedded DNS)
-      expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining(['--dport', '53']));
+      // Verify DNS forwarding rules for default upstream servers
+      expect(mockedExeca).toHaveBeenCalledWith('iptables', [
+        '-t', 'filter', '-A', 'FW_WRAPPER',
+        '-p', 'udp', '-d', '8.8.8.8', '--dport', '53',
+        '-j', 'ACCEPT',
+      ]);
 
       // Verify traffic to Squid rule
       expect(mockedExeca).toHaveBeenCalledWith('iptables', [
@@ -441,7 +445,7 @@ describe('host-iptables', () => {
       ]);
     });
 
-    it('should not create IPv6 chain (no DNS-specific rules in simplified model)', async () => {
+    it('should not create IPv6 chain but should add DNS forwarding rules', async () => {
       mockedExeca
         // Mock getNetworkBridgeName
         .mockResolvedValueOnce({
@@ -468,9 +472,19 @@ describe('host-iptables', () => {
 
       await setupHostIptables('172.30.0.10', 3128);
 
-      // Verify no DNS-specific rules and no IPv6 chain
+      // Verify no IPv6 chain
       expect(mockedExeca).not.toHaveBeenCalledWith('ip6tables', ['-t', 'filter', '-N', 'FW_WRAPPER_V6']);
-      expect(mockedExeca).not.toHaveBeenCalledWith('iptables', expect.arrayContaining(['--dport', '53']));
+      // DNS forwarding rules should exist for default upstream servers (8.8.8.8, 8.8.4.4)
+      expect(mockedExeca).toHaveBeenCalledWith('iptables', [
+        '-t', 'filter', '-A', 'FW_WRAPPER',
+        '-p', 'udp', '-d', '8.8.8.8', '--dport', '53',
+        '-j', 'ACCEPT',
+      ]);
+      expect(mockedExeca).toHaveBeenCalledWith('iptables', [
+        '-t', 'filter', '-A', 'FW_WRAPPER',
+        '-p', 'udp', '-d', '8.8.4.4', '--dport', '53',
+        '-j', 'ACCEPT',
+      ]);
     });
 
     it('should disable IPv6 via sysctl when ip6tables unavailable', async () => {

src/host-iptables.ts

@@ -143,15 +143,18 @@ export async function ensureFirewallNetwork(): Promise<{
  * Sets up host-level iptables rules using DOCKER-USER chain
  * This ensures ALL containers on the firewall network are subject to egress filtering.
  *
- * Simplified security model: only localhost and Squid proxy are allowed.
- * DNS resolution is handled by Docker's embedded DNS (127.0.0.11) which forwards
- * to upstream servers at the Docker daemon level, bypassing container iptables.
+ * Simplified security model: only localhost, Squid proxy, and DNS forwarding are allowed.
+ * Containers use Docker's embedded DNS (127.0.0.11) as their only nameserver.
+ * Docker's DNS proxy forwards queries to upstream servers configured via docker-compose dns: field.
+ * These forwarded queries traverse the Docker bridge and must be allowed in DOCKER-USER.
  * Squid resolves DNS internally for all HTTP/HTTPS traffic.
  *
  * @param squidIp - IP address of the Squid proxy
  * @param squidPort - Port number of the Squid proxy
+ * @param apiProxyIp - Optional IP address of the API proxy sidecar
+ * @param dnsServers - Upstream DNS servers that Docker embedded DNS forwards to
  */
-export async function setupHostIptables(squidIp: string, squidPort: number, apiProxyIp?: string): Promise<void> {
+export async function setupHostIptables(squidIp: string, squidPort: number, apiProxyIp?: string, dnsServers?: string[]): Promise<void> {
   logger.info('Setting up host-level iptables rules...');
 
   // Get the bridge interface name
@@ -269,10 +272,24 @@ export async function setupHostIptables(squidIp: string, squidPort: number, apiP
     await disableIpv6ViaSysctl();
   }
 
-  // Note: No DNS-specific rules needed. Docker's embedded DNS (127.0.0.11) handles
-  // all name resolution. It forwards to upstream servers at the Docker daemon level,
-  // which bypasses container iptables entirely. Squid resolves DNS internally for
-  // all HTTP/HTTPS traffic.
+  // 4b. Allow DNS forwarding to upstream servers
+  // Docker's embedded DNS (127.0.0.11) proxies queries to upstream servers configured
+  // via docker-compose dns: field. These forwarded queries traverse the Docker bridge
+  // and need to be allowed here. Only the configured upstream servers are permitted.
+  const upstreamDns = dnsServers && dnsServers.length > 0 ? dnsServers : ['8.8.8.8', '8.8.4.4'];
+  logger.debug(`Allowing DNS forwarding to upstream servers: ${upstreamDns.join(', ')}`);
+  for (const dnsServer of upstreamDns) {
+    await execa('iptables', [
+      '-t', 'filter', '-A', CHAIN_NAME,
+      '-p', 'udp', '-d', dnsServer, '--dport', '53',
+      '-j', 'ACCEPT',
+    ]);
+    await execa('iptables', [
+      '-t', 'filter', '-A', CHAIN_NAME,
+      '-p', 'tcp', '-d', dnsServer, '--dport', '53',
+      '-j', 'ACCEPT',
+    ]);
+  }
 
   // 5. Allow traffic to Squid proxy
   await execa('iptables', [