If a single TCP channel is all that is allowed, on a single port to a single orchestrator IP, and the only service attached to that channel on the other end is the orchestrator which reports results to the host worker, why would you need anything to do with DNS? Isn't this a simple thing to do with a firewall rule, once you know the orchestrator's network-local IP?
(Certainly this would prevent things like package manager installations, etc... but if you're in a use case where you really want to sandbox things, you wouldn't want people to have e.g. NPM access as I'm sure there are ways to use that for exfiltration/C&C!)
(Certainly this would prevent things like package manager installations, etc... but if you're in a use case where you really want to sandbox things, you wouldn't want people to have e.g. NPM access as I'm sure there are ways to use that for exfiltration/C&C!)