1[Unit] 2Description=Validating, recursive, and caching DNS resolver 3Documentation=man:unbound(8) 4After=network.target 5Before=network-online.target nss-lookup.target 6Wants=nss-lookup.target 7 8[Install] 9WantedBy=multi-user.target 10 11[Service] 12ExecReload=/bin/kill -HUP $MAINPID 13ExecStart=@UNBOUND_SBIN_DIR@/unbound 14NotifyAccess=main 15Type=notify 16CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE 17MemoryDenyWriteExecute=true 18NoNewPrivileges=true 19PrivateDevices=true 20PrivateTmp=true 21ProtectHome=true 22ProtectControlGroups=true 23ProtectKernelModules=true 24ProtectKernelTunables=true 25ProtectSystem=strict 26ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@ 27RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 28RestrictRealtime=true 29SystemCallArchitectures=native 30SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 31 32