Problem
AWF defaults Squid's dns_nameservers to Google DNS (8.8.8.8, 8.8.4.4). In enterprise/private VPC environments where Google DNS is unreachable, this makes AWF completely unusable — all proxied requests fail with ERR_DNS_FAIL.
While --dns-servers exists as a CLI flag, gh-aw compiled workflows don't expose it, so enterprise customers on self-hosted runners have no way to configure DNS.
Related: #422 (customer report from @github-antoine-brechon)
Proposed Solution
Auto-detect host DNS resolvers from /etc/resolv.conf (or /run/systemd/resolve/resolv.conf for systemd-resolved) when --dns-servers is not explicitly provided.
Key requirements:
- Filter out loopback addresses (127.0.0.11 for DinD, 127.0.0.53 for systemd-resolved)
- Fall back to Google DNS if auto-detection yields no usable servers
- Preserve existing
--dns-servers flag for explicit override
- No changes needed to iptables security model — detected servers are still restricted
- Log detected servers at info level for operator visibility
Security Notes
- iptables DNS restriction model is unchanged (only detected servers are allowed)
- Corporate DNS is actually more secure for enterprise (policy enforcement, audit logging, no DNS query leak to Google)
- resolv.conf is read on host before containers start — agent cannot tamper
Problem
AWF defaults Squid's
dns_nameserversto Google DNS (8.8.8.8, 8.8.4.4). In enterprise/private VPC environments where Google DNS is unreachable, this makes AWF completely unusable — all proxied requests fail withERR_DNS_FAIL.While
--dns-serversexists as a CLI flag, gh-aw compiled workflows don't expose it, so enterprise customers on self-hosted runners have no way to configure DNS.Related: #422 (customer report from @github-antoine-brechon)
Proposed Solution
Auto-detect host DNS resolvers from
/etc/resolv.conf(or/run/systemd/resolve/resolv.conffor systemd-resolved) when--dns-serversis not explicitly provided.Key requirements:
--dns-serversflag for explicit overrideSecurity Notes