diff --git a/Dockerfile b/Dockerfile
index 09ebd672e..5202e8b7b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,8 +8,8 @@ RUN export DEBCONF_NONINTERACTIVE_SEEN=true \
            DEBIAN_PRIORITY=critical \
            TERM=linux ; \
     apt-get -qq update ; \
-    apt-get -yyqq upgrade ; \
-    apt-get -yyqq install ca-certificates libcap2-bin; \
+    apt-get -qq upgrade ; \
+    apt-get -qq --no-install-recommends install ca-certificates libcap2-bin; \
     apt-get clean
 COPY coredns /coredns
 RUN setcap cap_net_bind_service=+ep /coredns
@@ -18,6 +18,8 @@ FROM --platform=$TARGETPLATFORM ${BASE}
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build /coredns /coredns
 USER nonroot:nonroot
+# Reset the working directory inherited from the base image back to the expected default:
+# https://github.com/coredns/coredns/issues/7009#issuecomment-3124851608
 WORKDIR /
 EXPOSE 53 53/udp
 ENTRYPOINT ["/coredns"]