diff --git a/images/wrenn-init.sh b/images/wrenn-init.sh
index ec088ff..6e45e24 100644
--- a/images/wrenn-init.sh
+++ b/images/wrenn-init.sh
@@ -19,5 +19,9 @@ mount -t cgroup2 cgroup2 /sys/fs/cgroup 2>/dev/null || true
 # Set hostname
 hostname sandbox
 
+# Configure DNS resolver.
+echo "nameserver 8.8.8.8" > /etc/resolv.conf
+echo "nameserver 8.8.4.4" >> /etc/resolv.conf
+
 # Exec envd as the main process (replaces this script, keeps PID 1).
 exec /usr/local/bin/envd
diff --git a/internal/network/setup.go b/internal/network/setup.go
index 412154d..60212d9 100644
--- a/internal/network/setup.go
+++ b/internal/network/setup.go
@@ -278,9 +278,11 @@ func CreateNetwork(slot *Slot) error {
 	}
 
 	// MASQUERADE for outbound traffic from sandbox.
+	// After SNAT inside the namespace, outbound packets arrive on the host
+	// with source = vpeerIP, so we match on that (not hostIP).
 	if err := iptablesHost(
 		"-t", "nat", "-A", "POSTROUTING",
-		"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
+		"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
 		"-o", defaultIface,
 		"-j", "MASQUERADE",
 	); err != nil {
@@ -314,7 +316,7 @@ func RemoveNetwork(slot *Slot) error {
 		)
 		iptablesHost(
 			"-t", "nat", "-D", "POSTROUTING",
-			"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
+			"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
 			"-o", defaultIface,
 			"-j", "MASQUERADE",
 		)