diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
index b572dd1..b25afc9 100644
--- a/dnssec-trigger-script.in
+++ b/dnssec-trigger-script.in
@@ -6,17 +6,20 @@
 """
 
 from gi.repository import NMClient
-import os, sys, shutil, subprocess
+import os, sys, fcntl, shutil, glob, subprocess
 import logging, logging.handlers
 import socket, struct
 
+# Python compatibility stuff
+if not hasattr(os, "O_CLOEXEC"):
+    os.O_CLOEXEC = 0x80000
+
 DEVNULL = open("/dev/null", "wb")
 
 log = logging.getLogger()
 log.setLevel(logging.INFO)
 log.addHandler(logging.handlers.SysLogHandler())
-if sys.stderr.isatty():
-    log.addHandler(logging.StreamHandler())
+log.addHandler(logging.StreamHandler())
 
 # NetworkManager reportedly doesn't pass the PATH environment variable.
 os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -24,12 +27,37 @@ os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/b
 class UserError(Exception):
     pass
 
+class Lock:
+    """Lock used to serialize the script"""
+
+    path = "/var/run/dnssec-trigger/lock"
+
+    def __init__(self):
+        # We don't use os.makedirs(..., exist_ok=True) to ensure Python 2 compatibility
+        dirname = os.path.dirname(self.path)
+        if not os.path.exists(dirname):
+            os.makedirs(dirname)
+        self.lock = os.open(self.path, os.O_WRONLY | os.O_CREAT | os.O_CLOEXEC, 0o600)
+
+    def __enter__(self):
+        fcntl.lockf(self.lock, fcntl.LOCK_EX)
+
+    def __exit__(self, t, v, tb):
+        fcntl.lockf(self.lock, fcntl.LOCK_UN)
+
 class Config:
     """Global configuration options"""
 
     path = "/etc/dnssec.conf"
-    validate_connection_provided_zones = True
-    add_wifi_provided_zones = False
+
+    bool_options = {
+        "debug": False,
+        "validate_connection_provided_zones": True,
+        "add_wifi_provided_zones": False,
+        "use_vpn_global_forwarders": False,
+        "use_resolv_conf_symlink": False,
+        "use_resolv_secure_conf_symlink": False,
+    }
 
     def __init__(self):
         try:
@@ -37,35 +65,36 @@ class Config:
                 for line in config_file:
                     if '=' in line:
                         option, value = [part.strip() for part in line.split("=", 1)]
-                        if option == "validate_connection_provided_zones":
-                            self.validate_connection_provided_zones = (value == "yes")
-                        elif option == "add_wifi_provided_zones":
-                            self.add_wifi_provided_zones = (value == "yes")
+                        if option in self.bool_options:
+                            self.bool_options[option] = (value == "yes")
         except IOError:
             pass
         log.debug(self)
 
-    def __repr__(self):
-        return "<Config validate_connection_provided_zones={validate_connection_provided_zones} add_wifi_provided_zones={add_wifi_provided_zones}>".format(**vars(self))
+    def __getattr__(self, option):
+        return self.bool_options[option]
+
+    def __str__(self):
+        return "<Config {}>".format(self.bool_options)
 
 class ConnectionList:
     """List of NetworkManager active connections"""
 
     nm_connections = None
 
-    def __init__(self, only_default=False, skip_wifi=False):
+    def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False):
         # Cache the active connection list in the class
+        if not client.get_manager_running():
+            raise UserError("NetworkManager is not running.")
         if self.nm_connections is None:
-            self.__class__.client = NMClient.Client()
-            self.__class__.nm_connections = self.client.get_active_connections()
+            self.__class__.nm_connections = client.get_active_connections()
         self.skip_wifi = skip_wifi
         self.only_default = only_default
+        self.only_vpn = only_vpn
         log.debug(self)
 
     def __repr__(self):
-        if not list(self):
-            raise Exception("!!!")
-        return "<ConnectionList(only_default={only_default}, skip_wifi={skip_wifi}, connections={})>".format(list(self), **vars(self))
+        return "<ConnectionList(only_default={only_default}, only_vpn={only_vpn}, skip_wifi={skip_wifi}, connections={})>".format(list(self), **vars(self))
 
     def __iter__(self):
         for item in self.nm_connections:
@@ -82,6 +111,8 @@ class ConnectionList:
             # Skip non-default connections if appropriate
             if self.only_default and not connection.is_default:
                 continue
+            if self.only_vpn and not connection.is_vpn:
+                continue
             yield connection
 
     def get_zone_connection_mapping(self):
@@ -190,10 +221,10 @@ class UnboundZoneConfig:
                 if fields.pop(0) in ('forward', 'forward:'):
                     fields.pop(0)
                 secure = False
-                if fields[0] == '+i':
+                if fields and fields[0] == '+i':
                     secure = True
                     fields.pop(0)
-                self.cache[name] = set(fields[3:]), secure
+                self.cache[name] = set(fields), secure
         log.debug(self)
 
     def __repr__(self):
@@ -255,7 +286,7 @@ class Store:
                     line = line.strip()
                     if line:
                         self.cache.add(line)
-        except FileNotFoundError:
+        except IOError:
             pass
         log.debug(self)
 
@@ -277,10 +308,16 @@ class Store:
         log.debug(self)
 
     def update(self, zones):
-        """Commit a new zone list."""
+        """Commit a new set of items and return True when it differs"""
 
-        self.cache = set(zones)
-        log.debug(self)
+        zones = set(zones)
+
+        if zones != self.cache:
+            self.cache = set(zones)
+            log.debug(self)
+            return True
+
+        return False
 
     def remove(self, zone):
         """Remove zone from the cache."""
@@ -309,10 +346,21 @@ class GlobalForwarders:
                     line = line.strip()
                     if line:
                         self.cache.add(line)
-        except FileNotFoundError:
+        except IOError:
             pass
 
 class Application:
+    resolvconf = "/etc/resolv.conf"
+    resolvconf_tmp = "/etc/.resolv.conf.dnssec-trigger"
+    resolvconf_secure = "/etc/resolv-secure.conf"
+    resolvconf_secure_tmp = "/etc/.resolv-secure.conf.dnssec-trigger"
+    resolvconf_backup = "/var/run/dnssec-trigger/resolv.conf.backup"
+    resolvconf_trigger = "/var/run/dnssec-trigger/resolv.conf"
+    resolvconf_trigger_tmp = resolvconf_trigger + ".tmp"
+    resolvconf_networkmanager = "/var/run/NetworkManager/resolv.conf"
+
+    resolvconf_localhost_contents = "# Generated by dnssec-trigger-script\nnameserver 127.0.0.1\n"
+
     def __init__(self, argv):
         if len(argv) > 1 and argv[1] == '--debug':
             argv.pop(1)
@@ -327,108 +375,222 @@ class Application:
             self.method = getattr(self, "run_" + argv[1][2:].replace('-', '_'))
         except AttributeError:
             self.usage()
+
         self.config = Config()
+        if self.config.debug:
+            log.setLevel(logging.DEBUG);
+
+        self.client = NMClient.Client()
 
     def nm_handles_resolv_conf(self):
-        if subprocess.call(["pidof", "NetworkManager"], stdout=DEVNULL, stderr=DEVNULL) != 0:
+        if not self.client.get_manager_running():
+            log.debug("NetworkManager is not running")
             return False
         try:
             with open("/etc/NetworkManager/NetworkManager.conf") as nm_config_file:
                 for line in nm_config_file:
-                    if line.strip == "dns=none":
+                    if line.strip() in ("dns=none", "dns=unbound"):
+                        log.debug("NetworkManager doesn't handle resolv.conf")
                         return False
         except IOError:
             pass
+        log.debug("NetworkManager handles resolv.conf")
         return True
 
     def usage(self):
-        raise UserError("Usage: dnssec-trigger-script [--debug] [--async] --prepare|--update|--update-global-forwarders|--update-connection-zones|--cleanup")
+        raise UserError("Usage: dnssec-trigger-script [--debug] [--async] --prepare|--setup|--update|--update-global-forwarders|--update-connection-zones|--cleanup")
 
     def run(self):
         log.debug("Running: {}".format(self.method.__name__))
         self.method()
 
+    def _check_resolv_conf(self, path):
+        try:
+            with open(path) as source:
+                if source.read() != self.resolvconf_localhost_contents:
+                    log.warning("Detected incorrect contents of {!r}!".format(path))
+                    return False;
+                return True
+        except IOError:
+            return False
+
+    def _write_resolv_conf(self, path):
+        self._try_remove(path)
+        with open(path, "w") as target:
+            target.write(self.resolvconf_localhost_contents)
+
+    def _install_resolv_conf(self, path, path_tmp, symlink=False):
+        if symlink:
+            self._try_remove(path_tmp)
+            os.symlink(self.resolvconf_trigger, path_tmp)
+            self._try_set_mutable(path)
+            os.rename(path_tmp, path)
+        elif not self._check_resolv_conf(path):
+            self._write_resolv_conf(path_tmp)
+            self._try_set_mutable(path)
+            os.rename(path_tmp, path)
+            self._try_set_immutable(path)
+
+    def _try_remove(self, path):
+        self._try_set_mutable(path)
+        try:
+            os.remove(path)
+        except OSError:
+            pass
+
+    def _try_set_immutable(self, path):
+        subprocess.call(["chattr", "+i", path])
+
+    def _try_set_mutable(self, path):
+        if os.path.exists(path) and not os.path.islink(path):
+            subprocess.call(["chattr", "-i", path])
+
     def run_prepare(self):
-        """Prepare for dnssec-trigger."""
+        """Prepare for starting dnssec-trigger
+
+        Called by the service manager before starting dnssec-trigger daemon.
+        """
 
+        # Backup resolv.conf when appropriate
         if not self.nm_handles_resolv_conf():
-            log.info("Backing up /etc/resolv.conf")
-            shutil.copy("/etc/resolv.conf", "/var/run/dnssec-trigger/resolv.conf.bak")
+            try:
+                log.info("Backing up {} as {}...".format(self.resolvconf, self.resolvconf_backup))
+                shutil.move(self.resolvconf, self.resolvconf_backup)
+            except IOError as error:
+                log.warning("Cannot back up {!r} as {!r}: {}".format(self.resolvconf, self.resolvconf_backup, error.strerror))
+
+        # Make sure dnssec-trigger daemon doesn't get confused by existing files.
+        self._try_remove(self.resolvconf)
+        self._try_remove(self.resolvconf_secure)
+        self._try_remove(self.resolvconf_trigger)
+
+    def run_setup(self):
+        """Set up resolv.conf with localhost nameserver
+
+        Called by dnssec-trigger.
+        """
+
+        self._install_resolv_conf(self.resolvconf_trigger, self.resolvconf_trigger_tmp, False)
+        self._install_resolv_conf(self.resolvconf, self.resolvconf_tmp, self.config.use_resolv_conf_symlink)
+        self._install_resolv_conf(self.resolvconf_secure, self.resolvconf_secure_tmp, self.config.use_resolv_secure_conf_symlink)
+
+    def run_restore(self):
+        """Restore resolv.conf with original data
+
+        Called by dnssec-trigger or internally as part of other actions.
+        """
+
+        self._try_remove(self.resolvconf)
+        self._try_remove(self.resolvconf_secure)
+        self._try_remove(self.resolvconf_trigger)
+
+        log.info("Recovering {}...".format(self.resolvconf))
+        if self.nm_handles_resolv_conf():
+            if os.path.isfile(self.resolvconf_networkmanager):
+                os.symlink(self.resolvconf_networkmanager, self.resolvconf)
+            elif os.path.isfile("/sys/fs/cgroup/systemd"):
+                subprocess.check_call(["systemctl", "--ignore-dependencies", "try-restart", "NetworkManager.service"])
+            else:
+                subprocess.check_call(["/etc/init.d/NetworkManager", "restart"])
+        else:
+            try:
+                shutil.move(self.resolvconf_backup, self.resolvconf)
+            except IOError as error:
+                log.warning("Cannot restore {!r} from {!r}: {}".format(self.resolvconf, self.resolvconf_backup, error.strerror))
 
     def run_cleanup(self):
-        """Clean up after dnssec-trigger."""
+        """Clean up after dnssec-trigger daemon
+
+        Called by the service manager after stopping dnssec-trigger daemon.
+        """
+
+        self.run_restore()
 
         stored_zones = Store('zones')
+        stored_servers = Store('servers')
         unbound_zones = UnboundZoneConfig()
 
+        # provide upgrade path for previous versions
+        old_zones = glob.glob("/var/run/dnssec-trigger/????????-????-????-????-????????????")
+        if old_zones:
+            log.info("Reading zones from the legacy zone store")
+            with open("/var/run/dnssec-trigger/zones", "a") as target:
+                for filename in old_zones:
+                    with open(filename) as source:
+                        log.debug("Reading zones from {}".format(filename))
+                        for line in source:
+                            stored_zones.add(line.strip())
+                        os.remove(filename)
+
         log.debug("clearing unbound configuration")
         for zone in stored_zones:
             unbound_zones.remove(zone)
             stored_zones.remove(zone)
+        for server in stored_servers:
+            stored_servers.remove(server)
         stored_zones.commit()
-
-        log.debug("recovering /etc/resolv.conf")
-        subprocess.check_call(["chattr", "-i", "/etc/resolv.conf"])
-        if not self.nm_handles_resolv_conf():
-            shutil.copy("/var/run/dnssec-trigger/resolv.conf.bak", "/etc/resolv.conf")
-        # NetworkManager currently doesn't support explicit /etc/resolv.conf
-        # write out. For now we simply restart the daemon.
-        elif os.path.exists("/sys/fs/cgroup/systemd"):
-            subprocess.check_call(["systemctl", "try-restart", "NetworkManager.service"])
-        else:
-            subprocess.check_call(["/etc/init.d/NetworkManager", "restart"])
+        stored_servers.commit()
 
     def run_update(self):
+        """Update unbound and dnssec-trigger configuration."""
+
         self.run_update_global_forwarders()
         self.run_update_connection_zones()
 
     def run_update_global_forwarders(self):
         """Configure global forwarders using dnssec-trigger-control."""
 
-        subprocess.check_call(["dnssec-trigger-control", "status"], stdout=DEVNULL, stderr=DEVNULL)
+        with Lock():
+            subprocess.check_call(["dnssec-trigger-control", "status"], stdout=DEVNULL, stderr=DEVNULL)
+
+            connections = None
+            if self.config.use_vpn_global_forwarders:
+                connections = list(ConnectionList(self.client, only_vpn=True))
+            if not connections:
+                connections = list(ConnectionList(self.client, only_default=True))
 
-        default_connections = ConnectionList(only_default=True)
-        servers = Store('servers')
+            servers = Store('servers')
 
-        if servers.update(sum((connection.servers for connection in default_connections), [])):
-            subprocess.check_call(["unbound-control", "flush_zone", "."])
-            subprocess.check_call(["dnssec-trigger-control", "submit"] + list(servers))
-            servers.commit()
-        log.info("Global forwarders: {}".format(' '.join(servers)))
+            if servers.update(sum((connection.servers for connection in connections), [])):
+                subprocess.check_call(["unbound-control", "flush_zone", "."])
+                subprocess.check_call(["dnssec-trigger-control", "submit"] + list(servers))
+                servers.commit()
+            log.info("Global forwarders: {}".format(' '.join(servers)))
 
     def run_update_connection_zones(self):
         """Configures forward zones in the unbound using unbound-control."""
 
-        connections = ConnectionList(skip_wifi=not self.config.add_wifi_provided_zones).get_zone_connection_mapping()
-        unbound_zones = UnboundZoneConfig()
-        stored_zones = Store('zones')
-
-        # The purpose of the zone store is to keep the list of Unbound zones
-        # that are managed by dnssec-trigger-script. We don't want to track
-        # zones accoss Unbound restarts. We want to clear any Unbound zones
-        # that are no longer active in NetworkManager.
-        log.debug("removing stored zones not present in both unbound and an active connection")
-        for zone in stored_zones:
-            if zone not in unbound_zones:
-                stored_zones.remove(zone)
-            elif zone not in connections:
-                unbound_zones.remove(zone)
-                stored_zones.remove(zone)
-
-        # We need to install zones that are not yet in Unbound. We also need to
-        # reinstall zones that are already managed by dnssec-trigger in case their
-        # list of nameservers was changed.
-        #
-        # TODO: In some cases, we don't seem to flush Unbound cache properly,
-        # even when Unbound is restarted (and dnssec-trigger as well, because
-        # of dependency).
-        log.debug("installing connection provided zones")
-        for zone in connections:
-            if zone in stored_zones or zone not in unbound_zones:
-                unbound_zones.add(zone, connections[zone].servers, secure=self.config.validate_connection_provided_zones)
-                stored_zones.add(zone)
-
-        stored_zones.commit()
+        with Lock():
+            connections = ConnectionList(self.client, skip_wifi=not self.config.add_wifi_provided_zones).get_zone_connection_mapping()
+            unbound_zones = UnboundZoneConfig()
+            stored_zones = Store('zones')
+
+            # The purpose of the zone store is to keep the list of Unbound zones
+            # that are managed by dnssec-trigger-script. We don't want to track
+            # zones accoss Unbound restarts. We want to clear any Unbound zones
+            # that are no longer active in NetworkManager.
+            log.debug("removing stored zones not present in both unbound and an active connection")
+            for zone in stored_zones:
+                if zone not in unbound_zones:
+                    stored_zones.remove(zone)
+                elif zone not in connections:
+                    unbound_zones.remove(zone)
+                    stored_zones.remove(zone)
+
+            # We need to install zones that are not yet in Unbound. We also need to
+            # reinstall zones that are already managed by dnssec-trigger in case their
+            # list of nameservers was changed.
+            #
+            # TODO: In some cases, we don't seem to flush Unbound cache properly,
+            # even when Unbound is restarted (and dnssec-trigger as well, because
+            # of dependency).
+            log.debug("installing connection provided zones")
+            for zone in connections:
+                if zone in stored_zones or zone not in unbound_zones:
+                    unbound_zones.add(zone, connections[zone].servers, secure=self.config.validate_connection_provided_zones)
+                    stored_zones.add(zone)
+
+            stored_zones.commit()
 
 if __name__ == "__main__":
     try: