dnss.service

[Unit]
Description = dnss daemon - DNS over HTTPS mode

# Note we get the sockets via systemd, see dnss.socket.
Requires=dnss.socket

[Service]
ExecStart=/usr/local/bin/dnss \
        --dns_listen_addr=systemd \
        --monitoring_listen_addr=127.0.0.1:8081 \
        --enable_dns_to_https


Type = simple
Restart = always

# Use a dynamic user, since dnss doesn't use any persistent storage anyway.
DynamicUser = true
User = dnss
Group = dnss

# Some security measures to reduce unnecessary exposure, just in case.
CapabilityBoundingSet =
ProtectSystem = strict
PrivateUsers = true
PrivateDevices = true
RestrictNamespaces = true
ProtectControlGroups = yes
ProtectProc = invisible
ProcSubset = pid
SystemCallArchitectures = native
SystemCallFilter = @system-service
ProtectKernelModules = yes
ProtectKernelTunables = yes


[Install]
Also=dnss.socket
WantedBy = multi-user.target