diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index b8c6c97507..0a60bb861a 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -531,10 +531,15 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
 
     /* If this is an isolated network, set the default route option
      * (3) to be empty to avoid setting a default route that's
-     * guaranteed to not work.
+     * guaranteed to not work, and set --no-resolv so that no dns
+     * requests are forwarded on to the dns server listed in the
+     * host's /etc/resolv.conf (since this could be used as a channel
+     * to build a connection to the outside).
      */
-    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
-        virCommandAddArg(cmd, "--dhcp-option=3");
+    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) {
+        virCommandAddArgList(cmd, "--dhcp-option=3",
+                             "--no-resolv", NULL);
+    }
 
     if (network->def->dns != NULL) {
         virNetworkDNSDefPtr dns = network->def->dns;
diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
index f8013965c8..7ea2e94404 100644
--- a/tests/networkxml2argvdata/isolated-network.argv
+++ b/tests/networkxml2argvdata/isolated-network.argv
@@ -1,5 +1,6 @@
 /usr/sbin/dnsmasq --strict-order --bind-interfaces --conf-file= \
---except-interface lo --dhcp-option=3 --listen-address 192.168.152.1 \
+--except-interface lo --dhcp-option=3 --no-resolv \
+--listen-address 192.168.152.1 \
 --dhcp-range 192.168.152.2,192.168.152.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \
 --dhcp-no-override\