I have done the following

• I have searched the existing issues
• If possible, I've reproduced the issue using the 'main' branch of this project

Steps to reproduce

The invariant for host FQDNs for our lightweight DNS server is that container FQDNs shall be unique, so that it's not possible to have two address records for the same FQDN that refer to the same IP.

A basic check to prevent this occurs when the sandbox allocates an IP using an FQDN, but this check only has network scope.

The container uniqueness check also prevents many cases since we're forming FQDNs from container names.

Because we do not comprehensively check FQDNs at container create time to enforce the invariant, it is possible, though not straightforward, to violate the invariant.

Current behavior

1. sudo container system dns create test
2. container system dns default test
3. container run --rm -d --name web.test python:slim python3 -m http.server --bind 0.0.0.0 80
4. container network create foo
5. container run --rm -d --name web -w /tmp --network backend python:slim python3 -m http.server --bind 0.0.0.0 80 web

After step 5 a request to web.test may respond with the web server on either network (behavior depends on the lookup implementation):

% curl web.test
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
</ul>
<hr>
</body>
</html>

Expected behavior

Step 5 should fail because the web.test FQDN is in use by the first container.

Environment

- OS: macOS 26 preview
- Xcode: 26 beta
- Container: main

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct