diff --git a/etchosts/etchosts.go b/etchosts/etchosts.go
index 45265325..d55298af 100644
--- a/etchosts/etchosts.go
+++ b/etchosts/etchosts.go
@@ -119,25 +119,34 @@ func Add(path string, recs []Record) error {
 		return nil
 	}
 
-	f, err := os.Open(path)
+	b, err := mergeRecords(path, recs)
 	if err != nil {
 		return err
 	}
 
+	return ioutil.WriteFile(path, b, 0644)
+}
+
+func mergeRecords(path string, recs []Record) ([]byte, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
 	content := bytes.NewBuffer(nil)
 
-	_, err = content.ReadFrom(f)
-	if err != nil {
-		return err
+	if _, err := content.ReadFrom(f); err != nil {
+		return nil, err
 	}
 
 	for _, r := range recs {
 		if _, err := r.WriteTo(content); err != nil {
-			return err
+			return nil, err
 		}
 	}
 
-	return ioutil.WriteFile(path, content.Bytes(), 0644)
+	return content.Bytes(), nil
 }
 
 // Delete deletes an arbitrary number of Records already existing in /etc/hosts file
diff --git a/sandbox_dns_unix.go b/sandbox_dns_unix.go
index 73570856..6b70cb7a 100644
--- a/sandbox_dns_unix.go
+++ b/sandbox_dns_unix.go
@@ -275,7 +275,15 @@ func (sb *sandbox) updateDNS(ipv6Enabled bool) error {
 	if err != nil {
 		return err
 	}
-	if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newRC.Hash), filePerm); err != nil {
+	if err = tmpHashFile.Chmod(filePerm); err != nil {
+		tmpHashFile.Close()
+		return err
+	}
+	_, err = tmpHashFile.Write([]byte(newRC.Hash))
+	if err1 := tmpHashFile.Close(); err == nil {
+		err = err1
+	}
+	if err != nil {
 		return err
 	}
 	return os.Rename(tmpHashFile.Name(), hashFile)
diff --git a/sandbox_externalkey_unix.go b/sandbox_externalkey_unix.go
index 898cedd2..a57bb8e3 100644
--- a/sandbox_externalkey_unix.go
+++ b/sandbox_externalkey_unix.go
@@ -135,6 +135,8 @@ func (c *controller) acceptClientConnections(sock string, l net.Listener) {
 			continue
 		}
 		go func() {
+			defer conn.Close()
+
 			err := c.processExternalKey(conn)
 			ret := success
 			if err != nil {