diff --git a/Dockerfile b/Dockerfile
index 57060e79..adc451ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,24 +1,24 @@
 ARG BASE_IMAGE=alpine
-ARG ALPINE_VERSION=3.9
+ARG ALPINE_VERSION=3.10
 
 FROM ${BASE_IMAGE}:${ALPINE_VERSION}
 ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.schema-version="1.0.0-rc1" \
-      maintainer="quentin.mcgaw@gmail.com" \
-      org.label-schema.build-date=$BUILD_DATE \
-      org.label-schema.vcs-ref=$VCS_REF \
-      org.label-schema.vcs-url="https://github.com/qdm12/private-internet-access-docker" \
-      org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \
-      org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
-      org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
-      org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
-      org.label-schema.version="" \
-      image-size="19.6MB" \
-      ram-usage="13MB to 80MB" \
-      cpu-usage="Low to Medium"
+    maintainer="quentin.mcgaw@gmail.com" \
+    org.label-schema.build-date=$BUILD_DATE \
+    org.label-schema.vcs-ref=$VCS_REF \
+    org.label-schema.vcs-url="https://github.com/qdm12/private-internet-access-docker" \
+    org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \
+    org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
+    org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
+    org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+    org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+    org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
+    org.label-schema.version="" \
+    image-size="19.8MB" \
+    ram-usage="13MB to 80MB" \
+    cpu-usage="Low to Medium"
 ENV USER= \
     PASSWORD= \
     ENCRYPTION=strong \
@@ -33,16 +33,16 @@ ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
     wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
-            https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
-            https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
-            https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
+    https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
+    https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
+    https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
     mkdir -p /openvpn/target && \
     unzip -q openvpn.zip -d /openvpn/udp-normal && \
     unzip -q openvpn-strong.zip -d /openvpn/udp-strong && \
     unzip -q openvpn-tcp.zip -d /openvpn/tcp-normal && \
     unzip -q openvpn-strong-tcp.zip -d /openvpn/tcp-strong && \
     apk del -q --progress --purge unzip && \
-    rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host && \
+    rm -rf /*.zip /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host && \
     adduser nonrootuser -D -H --uid 1000 && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/named.root.updated -O /etc/unbound/root.hints && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
@@ -60,9 +60,6 @@ COPY unbound.conf /etc/unbound/unbound.conf
 COPY entrypoint.sh healthcheck.sh /
 RUN chown nonrootuser -R /etc/unbound && \
     chmod 700 /etc/unbound && \
-    chmod 500 /entrypoint.sh healthcheck.sh && \
-    chmod 400 \
-        /etc/unbound/root.hints \
-        /etc/unbound/root.key \
-        /etc/unbound/unbound.conf \
-        /etc/unbound/*.bz2
+    chmod 600 /etc/unbound/unbound.conf && \
+    chmod 500 /entrypoint.sh /healthcheck.sh && \
+    chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
diff --git a/README.md b/README.md
index 847b3da3..f51f7d29 100644
--- a/README.md
+++ b/README.md
@@ -22,14 +22,14 @@
 
 | Image size | RAM usage | CPU usage |
 | --- | --- | --- |
-| 19.6MB | 14MB to 80MB | Low to Medium |
+| 19.8MB | 14MB to 80MB | Low to Medium |
 
 <details><summary>Click to show base components</summary><p>
 
-- [Alpine 3.9](https://alpinelinux.org) for a tiny image
-- [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/openvpn) to tunnel to PIA servers
-- [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
-- [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
+- [Alpine 3.10](https://alpinelinux.org) for a tiny image
+- [OpenVPN 2.4.7](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/openvpn) to tunnel to PIA servers
+- [IPtables 1.8.3](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
+- [Unbound 1.9.1](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
 - [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` and `BLOCK_NSA` environment variables)
 
 </p></details>
@@ -124,7 +124,7 @@
 Check the PIA IP address matches your expectations
 
 ```sh
-docker run --rm --network=container:pia alpine:3.9 wget -qO- https://ipinfo.io
+docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
 ```
 
 ## Environment variables