diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 9598f19c..9eadefee 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -162,15 +162,28 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
   # NOTE: We backup the host's original resolv.conf and set up a trap to restore it
   RESOLV_BACKUP="/host/etc/resolv.conf.awf-backup-$$"
   RESOLV_MODIFIED=false
-  if cp /host/etc/resolv.conf "$RESOLV_BACKUP" 2>/dev/null; then
-    if cp /etc/resolv.conf /host/etc/resolv.conf.awf 2>/dev/null; then
-      mv /host/etc/resolv.conf.awf /host/etc/resolv.conf 2>/dev/null && RESOLV_MODIFIED=true
-      echo "[entrypoint] DNS configuration copied to chroot (backup at $RESOLV_BACKUP)"
+  RESOLV_CREATED=false
+  if [ -f /host/etc/resolv.conf ]; then
+    # File exists: backup original and replace with AWF DNS configuration
+    if cp /host/etc/resolv.conf "$RESOLV_BACKUP" 2>/dev/null; then
+      if cp /etc/resolv.conf /host/etc/resolv.conf.awf 2>/dev/null; then
+        mv /host/etc/resolv.conf.awf /host/etc/resolv.conf 2>/dev/null && RESOLV_MODIFIED=true
+        echo "[entrypoint] DNS configuration copied to chroot (backup at $RESOLV_BACKUP)"
+      else
+        echo "[entrypoint][WARN] Could not copy DNS configuration to chroot"
+      fi
     else
-      echo "[entrypoint][WARN] Could not copy DNS configuration to chroot"
+      echo "[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override"
     fi
   else
-    echo "[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override"
+    # File doesn't exist: selective /etc mounts don't include resolv.conf
+    # Create it from the container's resolv.conf (which has AWF DNS config)
+    if cp /etc/resolv.conf /host/etc/resolv.conf 2>/dev/null; then
+      RESOLV_CREATED=true
+      echo "[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)"
+    else
+      echo "[entrypoint][WARN] Could not create DNS configuration in chroot"
+    fi
   fi
 
   # Determine working directory inside the chroot
@@ -291,6 +304,10 @@ AWFEOF
     CHROOT_RESOLV_BACKUP="${RESOLV_BACKUP#/host}"
     CLEANUP_CMD="${CLEANUP_CMD}; mv '${CHROOT_RESOLV_BACKUP}' /etc/resolv.conf 2>/dev/null || true"
     echo "[entrypoint] DNS configuration will be restored on exit"
+  elif [ "$RESOLV_CREATED" = "true" ]; then
+    # File was created by us; remove it on exit to leave no trace
+    CLEANUP_CMD="${CLEANUP_CMD}; rm -f /etc/resolv.conf 2>/dev/null || true"
+    echo "[entrypoint] DNS configuration will be removed on exit"
   fi
 
   exec chroot /host /bin/bash -c "
diff --git a/tests/integration/chroot-edge-cases.test.ts b/tests/integration/chroot-edge-cases.test.ts
index 821c9814..b75dba11 100644
--- a/tests/integration/chroot-edge-cases.test.ts
+++ b/tests/integration/chroot-edge-cases.test.ts
@@ -272,7 +272,7 @@ describe('Chroot Edge Cases', () => {
     }, 60000);
 
     test('should block HTTP to non-whitelisted domains', async () => {
-      const result = await runner.runWithSudo('curl -s --connect-timeout 5 http://example.com 2>&1', {
+      const result = await runner.runWithSudo('curl -f --connect-timeout 5 http://example.com 2>&1', {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 30000,