2 Description=Validating, recursive, and caching DNS resolver
3 Documentation=man:unbound(8)
6 WantedBy=multi-user.target
9 ExecReload=/bin/kill -HUP $MAINPID
10 ExecStart=@UNBOUND_SBIN_DIR@/unbound
13 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
14 MemoryDenyWriteExecute=true
19 ProtectControlGroups=true
20 ProtectKernelModules=true
21 ProtectKernelTunables=true
23 ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
24 RestrictAddressFamilies=AF_INET AF_UNIX
26 SystemCallArchitectures=native
27 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources