diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index b33c3706d..e5b716c61 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -6,3 +6,21 @@ ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target
+
+[Unit]
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/unbound /run
+RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+
diff --git a/doc/Changelog b/doc/Changelog
index 3c1801c29..87a0cc528 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+6 March 2017: Wouter
+	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+
 28 February 2017: Ralph
 	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
 	  record.