diff --git a/Dockerfile b/Dockerfile
index 4f8b66360fa477afd0097f48504804fbe38e0135..7dbf42f21fb8345c19980099735bbc8521a2b9a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,11 +4,14 @@ FROM registry.hub.docker.com/cznic/knot:latest
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         gettext-base \
+        libcap2-bin \
     && \
+    setcap CAP_NET_BIND_SERVICE=+ep /sbin/knotd && \
+    chmod 777 /storage /rundir && \
     rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 COPY --chown=root:root entrypoint /usr/local/bin/
 COPY --chown=root:root knot.conf /etc/knot/
-EXPOSE 53/tcp 53/udp
 ENTRYPOINT ["entrypoint"]
 CMD ["knotd", "-vc", "/etc/knot/knot.conf"]
+USER nobody
 HEALTHCHECK CMD knotc status