This is an excellent point. I moved this to #1 on the TODO list. I'll deny all DNS resolution by default until Cilium is integrated, if that passes the basic functionality tests.

I'll also add to the roadmap whilelist/deny for container pulling.

Thanks!