2 Description=Validating, recursive, and caching DNS resolver
3 Documentation=man:unbound(8)
5 Before=network-online.target nss-lookup.target
6 Wants=nss-lookup.target
9 WantedBy=multi-user.target
12 ExecReload=/bin/kill -HUP $MAINPID
13 ExecStart=@UNBOUND_SBIN_DIR@/unbound
16 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
17 MemoryDenyWriteExecute=true
22 ProtectControlGroups=true
23 ProtectKernelModules=true
24 ProtectKernelTunables=true
26 ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
27 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
29 SystemCallArchitectures=native
30 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources