diff --git a/Dockerfile b/Dockerfile
index a610760..0386d33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,11 +13,26 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}"
 
 FROM alpine:3.21
 
-RUN addgroup -S mcns && adduser -S mcns -G mcns
+RUN apk add --no-cache ca-certificates tzdata \
+    && addgroup -S mcns \
+    && adduser -S -G mcns -h /srv/mcns -s /sbin/nologin mcns \
+    && mkdir -p /srv/mcns && chown mcns:mcns /srv/mcns
+
 COPY --from=builder /build/mcns /usr/local/bin/mcns
 
+# /srv/mcns is the single volume mount point.
+# It must contain:
+#   mcns.toml  — configuration file
+#   certs/     — TLS certificate and key
+#   mcns.db    — created automatically on first run
+VOLUME /srv/mcns
+WORKDIR /srv/mcns
+
+EXPOSE 53/udp 53/tcp
+EXPOSE 8443
+EXPOSE 9443
+
 USER mcns
-EXPOSE 53/udp 53/tcp 8443 9443
 
 ENTRYPOINT ["mcns"]
 CMD ["server", "--config", "/srv/mcns/mcns.toml"]