[Unit]
Description=CoreDNS server
Documentation=https://coredns.io
After=network.target
Wants=dnscrypt-proxy.service
Upholds=dnscrypt-proxy.service

[Service]
PermissionsStartOnly=true
LimitNOFILE=1048576
LimitNPROC=512
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
AmbientCapabilities=CAP_NET_BIND_SERVICE
User=coredns

ExecStart=/usr/local/bin/coredns -conf=/etc/coredns/Corefile
ExecReload=/bin/kill -SIGUSR1 $MAINPID
Restart=on-failure
RestartSec=5

WorkingDirectory=/var/lib/coredns
CacheDirectory=coredns
RuntimeDirectory=coredns

PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectHostname=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid

RemoveIPC=true

SystemCallFilter=~memfd_create @reboot @swap @mount @resources @privileged @cpu-emulation @debug @module @clock @raw-io @obsolete

NoNewPrivileges=true
LockPersonality=true
DeviceAllow=
MemoryDenyWriteExecute=true

ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true

RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6

SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target