diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 2a09e3dd4..7dc03855f 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
 
     assert(derivationType);
 
+    networked = parsedDrv->getBoolAttr("__networked");
+
     /* Are we doing a chroot build? */
     {
         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
-            useChroot = derivationType->isSandboxed() && !noChroot;
+            useChroot = !networked && derivationType->isSandboxed() && !noChroot;
     }
 
     auto & localStore = getLocalStore();
@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
                 "nogroup:x:65534:\n", sandboxGid()));
 
         /* Create /etc/hosts with localhost entry. */
-        if (derivationType->isSandboxed())
+        if (!networked && derivationType->isSandboxed())
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
            us.
         */
 
-        if (derivationType->isSandboxed())
+        if (!networked && derivationType->isSandboxed())
             privateNetwork = true;
 
         userNamespaceSync.create();
@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
-    if (!derivationType->isSandboxed()) {
+    if (networked || !derivationType->isSandboxed()) {
         auto & impureEnv = settings.impureEnv.get();
         if (!impureEnv.empty())
             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
-            if (!derivationType->isSandboxed()) {
+            if (networked || !derivationType->isSandboxed()) {
                 // Only use nss functions to resolve hosts and
                 // services. Don’t use it for anything else that may
                 // be configured for this system. This limits the
@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
                 #include "sandbox-defaults.sb"
                 ;
 
-            if (!derivationType->isSandboxed())
+            if (networked || !derivationType->isSandboxed())
                 sandboxProfile +=
                     #include "sandbox-network.sb"
                     ;
diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
index bf25cf2a6..28f8c1e95 100644
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
      */
     Path chrootRootDir;
 
+    bool networked;
+
     /**
      * RAII object to delete the chroot directory.
      */