$OpenBSD: patch-bin_dig_host_c,v 1.9 2019/08/22 16:16:46 sthen Exp $

Index: bin/dig/host.c
--- bin/dig/host.c.orig
+++ bin/dig/host.c
@@ -901,6 +901,11 @@ main(int argc, char **argv) {
 	dighost_trying = trying;
 	dighost_shutdown = host_shutdown;
 
+	if (pledge("stdio rpath inet unix dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	debug("main()");
 	progname = argv[0];
 	pre_parse_args(argc, argv);
@@ -909,6 +914,13 @@ main(int argc, char **argv) {
 	setup_libs();
 	setup_system(ipv4only, ipv6only);
 	parse_args(false, argc, argv);
+
+	/* inet for network connections, dns for resolv.conf, rpath for charset conversion */
+	if (pledge("stdio rpath inet dns", NULL) == -1) {
+		perror("pledge");
+		exit(1);
+	}
+
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)
