[Unit] Description=PowerDNS Authoritative Server Documentation=man:pdns_server(1) man:pdns_control(1) Documentation=https://doc.powerdns.com Wants=network-online.target After=network-online.target time-sync.target Conflicts=named.service [Service] ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no SyslogIdentifier=pdns_server User=named Group=named Type=notify Restart=on-failure RestartSec=1 StartLimitInterval=0 RuntimeDirectory=pdns # Sandboxing CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN NoNewPrivileges=true PrivateDevices=true PrivateTmp=true # Setting PrivateUsers=true prevents us from opening our sockets ProtectHome=true # ProtectSystem=full will disallow write access to /etc and /usr, possibly # not being able to write slaved-zones into sqlite3 or zonefiles. ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native DevicePolicy=closed # Not enabled by default because it does not play well with LuaJIT # MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target