network security of the microvm (sandbox for egress domain names/IPs)

[nnWhisperer]

Hello,
Assuming that the microvm can run any code, is there a way to limit the domains it can connect to? Pi-hole dns filtering comes to my mind, but simple dns filtering isn't guaranteed, as an app may have an IP to connect to be embedded inside. Hence, on the use-case that comes to my mind, ideally there must be a dns server that replies correctly only for the whitelisted domains and then control the iptables to allow access to those IP addresses only. There is no such tool that I know, but may be anyone knows.