DNS resolver listens on public interfaces

Expected behavior

DNS resolver does not listen on public interfaces (e.g. WiFi). Incident response team at university is happy.
$ nmap -p 53 [public ip] | grep domain
53/tcp closed domain

Actual behavior

DNS resolver listens on public interfaces. Incident response team at university is unhappy and sends unhappy emails.
$ nmap -p 53 [public ip] | grep domain
53/tcp open domain

Information

$ pinata diagnose -u OS X: version 10.11.4 (build: 15E65) Docker.app: version v1.11.0-beta8.2 Running diagnostic tests: [OK] docker-cli [OK] Moby booted [OK] driver.amd64-linux [OK] vmnetd [OK] osxfs [OK] db [OK] slirp [OK] menubar [OK] environment [OK] Docker [OK] VT-x Docker logs are being collected into /tmp/20160422-132653.tar.gz Most specific failure is: No error was detected Your unique id is: 62965507-D5B8-468C-B1BD-8154A124D563 Please quote this in all correspondence.

Steps to reproduce the behavior

  1. Start Docker