diff --git a/debian/bind9.postinst b/debian/bind9.postinst
index d1fa83f705d86ac86679ca462590c230a18bd7ca..9e3e5183fba85bf0fe5c116b5519a36f8022cf9c 100644
--- a/debian/bind9.postinst
+++ b/debian/bind9.postinst
@@ -72,11 +72,7 @@ if [ "$1" = configure ]; then
         
         echo '' >> $config
         echo '# startup options for the server' >> $config
-        if [ ! -z "$USER" ] && [ ! -z "$CONFFILE" ]; then
-                echo "OPTIONS=\"-u $USER -c $CONFFILE\"" >> $config
-        elif [ ! -z "$USER" ]; then
-                echo "OPTIONS=\"-u $USER\"" >> $config
-        elif [ ! -z "$CONFFILE" ]; then
+        if [ ! -z "$CONFFILE" ]; then
                 echo "OPTIONS=\"-c $CONFFILE\"" >> $config
         else
                 echo "OPTIONS=\"\"" >> $config
diff --git a/debian/bind9.service b/debian/bind9.service
index 246a40501ccb4d4294983b1ec67c5df9acc420d1..2d8a841f435fe5dc04243e713328178b8a75ce7a 100644
--- a/debian/bind9.service
+++ b/debian/bind9.service
@@ -11,6 +11,35 @@ EnvironmentFile=/etc/default/bind9
 ExecStart=/usr/sbin/named $OPTIONS
 ExecReload=/usr/sbin/rndc reload
 ExecStop=/usr/sbin/rndc stop
+TimeoutSec=25
+Restart=always
+RestartSec=1
+User=bind
+Group=bind
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+LimitCORE=infinity
+LimitNOFILE=infinity
+NoNewPrivileges=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadOnlyPaths=/sys
+InaccessiblePaths=/home
+InaccessiblePaths=/opt
+InaccessiblePaths=/root
+ReadWritePaths=/run/named
+ReadWritePaths=/var/cache/bind
+ReadWritePaths=/var/lib/bind
 
 [Install]
 WantedBy=multi-user.target