diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh
index 012cd8a..378568b 100644
--- a/GCP-Debian-11.sh
+++ b/GCP-Debian-11.sh
@@ -46,7 +46,43 @@ forward-zone:
   forward-addr: 8.8.4.4#dns.google
   forward-addr: 2001:4860:4860::8888#dns.google
   forward-addr: 2001:4860:4860::8844#dns.google' | sudo tee /etc/unbound/unbound.conf.d/custom.conf
-  
+
+mkdir -p /etc/systemd/system/unbound.service.d
+echo $'[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility.
+ProtectKernelTunables=false
+ProtectProc=invisible
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below rules are needed when chroot is enabled (usually it\'s enabled by default).
+# If chroot is disabled like chroot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
+
 sudo systemctl restart unbound
 
 sudo mkdir -p /etc/systemd/system/sshd.service.d