$OpenBSD: patch-bin_dig_nslookup_c,v 1.17 2020/09/17 08:16:03 sthen Exp $

Index: bin/dig/nslookup.c
--- bin/dig/nslookup.c.orig
+++ bin/dig/nslookup.c
@@ -1009,6 +1009,15 @@ main(int argc, char **argv) {
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 
+	/*
+	 * unix: needed for startup check, isc_net_probeunix. can probably be
+	 *       hardcoded instead? (unix sockets used in controlconf).
+	 */
+	if (pledge("stdio rpath inet unix dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	setup_libs();
 	progname = argv[0];
 
@@ -1019,6 +1028,16 @@ main(int argc, char **argv) {
 	} else if (keysecret[0] != 0) {
 		setup_text_key();
 	}
+
+	/*
+	 * dns:   resolv.conf, also allows port 53 sockets
+	 * inet:  needed if we query on port != 53
+	 */
+	if (pledge("stdio inet dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	if (domainopt[0] != '\0') {
 		set_search_domain(domainopt);
 	}
