diff --git a/profiles/apparmor.d/nslookup b/profiles/apparmor.d/nslookup
index ff62b7192..9628f60b2 100644
--- a/profiles/apparmor.d/nslookup
+++ b/profiles/apparmor.d/nslookup
@@ -16,25 +16,26 @@ include <tunables/global>
 
 profile nslookup /usr/bin/nslookup {
   include <abstractions/base>
-  include <abstractions/terminfo>
   include <abstractions/nameservice-strict>
+  include <abstractions/terminfo>
 
-  # requested on < plucky, no apparent impact if excluded but included as a sanity case
-  capability sys_admin,
+  # Requested on < plucky by libuv (bind9 dependency), no functional impact from denial
+  deny capability sys_admin,
 
-  # needed for network queries
+  # Needed for network queries
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
 
+  # Read access is requested to the following locations during bare `nslookup`
   /usr/bin/nslookup mr,
-  # read access is requested to the following locations during bare `nslookup`
   /proc/version_signature r,
   /sys/kernel/mm/transparent_hugepage/enabled r,
 
   # `nslookup` performs reads to its own thread often, needed for expected functionality
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/nslookup>
 }