1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
[Unit]
Description=@Description@
Documentation=man:dnsdist(1)
Documentation=https://dnsdist.org
Wants=network-online.target
After=network-online.target time-sync.target
[Service]
ExecStartPre=@BinDir@/dnsdist --check-config @ConfigFile@
# Note: when editing the ExecStart command, keep --supervised and --disable-syslog
ExecStart=@BinDir@/dnsdist --supervised --disable-syslog @ConfigFile@
User=@ServiceUser@
Group=@ServiceGroup@
SyslogIdentifier=@SyslogIdentifier@
Type=notify
Restart=on-failure
RestartSec=2
TimeoutStopSec=5
StartLimitInterval=0
# Tuning
TasksMax=8192
LimitNOFILE=1000000
# Note: increasing the amount of lockable memory is required to use eBPF support
# LimitMEMLOCK=infinity
# Sandboxing
# Note: adding CAP_SYS_ADMIN is required to use eBPF support,
# and CAP_NET_RAW to be able to set the source interface to contact a backend
# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the
# capability: adding a 'capability sys_admin,' line to the policy is usually enough.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
@LockPersonality@
NoNewPrivileges=true
@PrivateDevices@
@PrivateTmp@
# Setting PrivateUsers=true prevents us from opening our sockets
@ProtectClock@
@ProtectControlGroups@
@ProtectHome@
@ProtectHostname@
@ProtectKernelLogs@
@ProtectKernelModules@
@ProtectKernelTunables@
@ProtectSystem@
@RestrictAddressFamilies@
@RestrictNamespaces@
@RestrictRealtime@
@RestrictSUIDSGID@
@SystemCallArchitectures@
@SystemCallFilter@
@ProtectProc@
@PrivateIPC@
@RemoveIPC@
DevicePolicy=closed
# Not enabled by default because it does not play well with LuaJIT
@MemoryDenyWriteExecute@
[Install]
WantedBy=multi-user.target
|
