$OpenBSD: patch-bin_dig_host_c,v 1.15 2020/04/15 18:41:07 sthen Exp $

Index: bin/dig/host.c
--- bin/dig/host.c.orig
+++ bin/dig/host.c
@@ -15,6 +15,7 @@
 #include <limits.h>
 #include <stdbool.h>
 #include <stdlib.h>
+#include <unistd.h>
 
 #ifdef HAVE_LOCALE_H
 #include <locale.h>
@@ -900,6 +901,15 @@ main(int argc, char **argv) {
 	dighost_trying = trying;
 	dighost_shutdown = host_shutdown;
 
+	/*
+	 * unix: needed for startup check, isc_net_probeunix. can probably be
+	 *       hardcoded instead? (unix sockets used in controlconf).
+	 */
+	if (pledge("stdio rpath inet unix dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	debug("main()");
 	progname = argv[0];
 	pre_parse_args(argc, argv);
@@ -913,6 +923,16 @@ main(int argc, char **argv) {
 	} else if (keysecret[0] != 0) {
 		setup_text_key();
 	}
+
+	/*
+	 * dns:   resolv.conf, also allows port 53 sockets
+	 * inet:  needed if we query on port != 53
+	 */
+	if (pledge("stdio inet dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
