diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 6c2ad5c..aad1a53 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -28,7 +28,9 @@ WatchdogSec=3min
 User=systemd-resolve
 CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+PrivateTmp=yes
 PrivateDevices=yes
+ProtectSystems=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes