diff --git a/etc/systemd/system/unbound.service.d/override-chroot.conf b/etc/systemd/system/unbound.service.d/override-chroot.conf
index 7726bf4..2c50696 100644
--- a/etc/systemd/system/unbound.service.d/override-chroot.conf
+++ b/etc/systemd/system/unbound.service.d/override-chroot.conf
@@ -10,9 +10,10 @@ ProtectControlGroups=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
-ProtectKernelTunables=false
+ProtectKernelTunables=true
 ProtectProc=invisible
-#ProtectSystem=strict
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
 #RuntimeDirectory=unbound
 #ConfigurationDirectory=unbound
 #StateDirectory=unbound
diff --git a/etc/systemd/system/unbound.service.d/override.conf b/etc/systemd/system/unbound.service.d/override.conf
index 2d92d56..3ac7132 100644
--- a/etc/systemd/system/unbound.service.d/override.conf
+++ b/etc/systemd/system/unbound.service.d/override.conf
@@ -12,7 +12,8 @@ ProtectKernelModules=true
 # This breaks using socket options like 'so-rcvbuf'.
 ProtectKernelTunables=true
 ProtectProc=invisible
-#ProtectSystem=strict
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
 #RuntimeDirectory=unbound
 #ConfigurationDirectory=unbound
 #StateDirectory=unbound