diff --git a/Cargo.toml b/Cargo.toml
index 9a2df58..dfc0b7a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -39,6 +39,7 @@ mimalloc = { version = "0.1.29", default-features = false }
 socket2 = "0.4.4"
 parking_lot = "0.12.1"
 rand = "0.8.5"
+rlimit = "0.8.3"
 rustc-hash = "1.1.0"
 serde = "1.0.137"
 serde_derive = "1.0.137"
diff --git a/src/main.rs b/src/main.rs
index e04b069..f2cb8bd 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -549,6 +549,7 @@ fn main() -> Result<(), Error> {
 
     let config_path = matches.value_of("config").unwrap();
     let config = Config::from_path(config_path)?;
+    _ = set_limits(&config);
     let dnscrypt_enabled = config.dnscrypt.enabled.unwrap_or(true);
     let provider_name = match &config.dnscrypt.provider_name {
         provider_name if provider_name.starts_with("2.dnscrypt-cert.") => provider_name.to_string(),
@@ -789,3 +790,23 @@ fn main() -> Result<(), Error> {
     time_updater.stop()?;
     Ok(())
 }
+
+#[cfg(not(target_family = "unix"))]
+fn set_limits(config: &Config) -> Result<(), Error> {
+    Ok(())
+}
+
+#[cfg(target_family = "unix")]
+fn set_limits(config: &Config) -> Result<(), Error> {
+    use rlimit::Resource;
+    let nb_descriptors = 2u32
+        .saturating_mul(
+            config
+                .tcp_max_active_connections
+                .saturating_add(config.udp_max_active_connections)
+                .saturating_add(config.listen_addrs.len() as u32),
+        )
+        .saturating_add(16);
+    Resource::NOFILE.set(nb_descriptors as _, nb_descriptors as _)?;
+    Ok(())
+}