The following ACLs were written for a djbdns setup based on Jeremy Rauch's Installing djbdns (DNScache) for Name Service parts 1 & 2. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.
# dnscache
#
/sbin/lidsconf -A -o /var/dnscache -j READONLY
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/dnscache/dnscache/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/dnscache/dnscache/log/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/multilog \
-o /var/dnscache/dnscache/log/main -j WRITE
# tinydns
#
/bin/echo "tinydns"
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/dnscache/tinydns/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/dnscache/tinydns/log/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/multilog \
-o /var/dnscache/tinydns/log/main -j WRITE |