Got some help from reddit on this one. The issue is that doing -p 53:53 binds to all interfaces. If I specify just the local interface (127.0.0.1), then it won't expose the port externally. Will update the code above accordingly (adding PIFACE environment variable to sysconfig file).