diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 7127cbfc12..95f0cac49c 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -653,6 +653,7 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa
         dns_server_unlink_on_reload(m->dns_servers);
         dns_server_unlink_on_reload(m->fallback_dns_servers);
         m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners);
+        manager_dns_stub_stop(m);
         dnssd_service_clear_on_reload(m->dnssd_services);
         m->unicast_scope = dns_scope_free(m->unicast_scope);
         m->delegates = hashmap_free(m->delegates);
@@ -691,6 +692,10 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa
         manager_flush_caches(m, LOG_INFO);
         manager_verify_all(m);
 
+        r = manager_dns_stub_start(m);
+        if (r < 0)
+                return sd_event_exit(sd_event_source_get_event(s), r);
+
         (void) sd_notify(/* unset_environment= */ false, NOTIFY_READY_MESSAGE);
         return 0;
 }
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 0676c4529f..ea3e6a689c 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -56,11 +56,10 @@ static int run(int argc, char *argv[]) {
                 if (r < 0)
                         return log_error_errno(r, "Could not create runtime directory: %m");
 
-                /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */
+                /* Drop privileges, but keep two caps. */
                 r = drop_privileges(uid, gid,
-                                    (UINT64_C(1) << CAP_NET_RAW)|          /* needed for SO_BINDTODEVICE */
-                                    (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */
-                                    (UINT64_C(1) << CAP_SETPCAP)           /* needed in order to drop the caps later */);
+                                    (UINT64_C(1) << CAP_NET_RAW)|           /* needed for SO_BINDTODEVICE */
+                                    (UINT64_C(1) << CAP_NET_BIND_SERVICE)); /* needed to bind on port 53 */
                 if (r < 0)
                         return log_error_errno(r, "Failed to drop privileges: %m");
         }
@@ -78,11 +77,6 @@ static int run(int argc, char *argv[]) {
 
         (void) manager_check_resolv_conf(m);
 
-        /* Let's drop the remaining caps now */
-        r = capability_bounding_set_drop((UINT64_C(1) << CAP_NET_RAW), true);
-        if (r < 0)
-                return log_error_errno(r, "Failed to drop remaining caps: %m");
-
         notify_stop = notify_start(NOTIFY_READY_MESSAGE, NOTIFY_STOPPING_MESSAGE);
 
         r = sd_event_loop(m->event);