> then a 'dig' or 'nslookup' fails even though I can get to port 8053 on > 127.0.0.1.
This is due to the socket pledge code, with SOCK_DNS. This area was damaged during the transition to pledge, and hasn't been repaired. Maybe one day. But for the moment, it is not getting fixed because it isn't easy. It is the only major damage from pledge which hasn't been fixed yet, and if you go study the source code of dig and nslookup carefully you'll see why.
