diff --git a/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf b/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
index 09e2117cd..0b7d787ed 100644
--- a/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
+++ b/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
@@ -1,4 +1,5 @@
 [Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
 LockPersonality=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
@@ -9,7 +10,8 @@ ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectSystem=full
+ProtectSystem=strict
+ReadWritePaths=/var/lib/bind /var/cache/bind /var/run/named
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictRealtime=yes
 SystemCallArchitectures=native