diff --git a/pdns/dnsdistdist/dnsdist-configuration.hh b/pdns/dnsdistdist/dnsdist-configuration.hh
index 01c3dd4b37aa..7f36034d7652 100644
--- a/pdns/dnsdistdist/dnsdist-configuration.hh
+++ b/pdns/dnsdistdist/dnsdist-configuration.hh
@@ -145,6 +145,7 @@ static_assert(s_defaultPayloadSizeSelfGenAnswers < s_udpIncomingBufferSize, "The
 
 struct Configuration
 {
+  std::set<std::string> d_capabilitiesToRetain;
   std::string d_consoleKey;
 #ifdef __linux__
   // On Linux this gives us 128k pending queries (default is 8192 queries),
diff --git a/pdns/dnsdistdist/dnsdist-lua.cc b/pdns/dnsdistdist/dnsdist-lua.cc
index 02187636ee2a..abb1bc1e6405 100644
--- a/pdns/dnsdistdist/dnsdist-lua.cc
+++ b/pdns/dnsdistdist/dnsdist-lua.cc
@@ -443,7 +443,9 @@ static void handleNewServerSourceParameter(boost::optional<newserver_t>& vars, D
         }
 #ifdef SO_BINDTODEVICE
         /* we need to retain CAP_NET_RAW to be able to set SO_BINDTODEVICE in the health checks */
-        g_capabilitiesToRetain.insert("CAP_NET_RAW");
+        dnsdist::configuration::updateImmutableConfiguration([](dnsdist::configuration::Configuration& config) {
+          config.d_capabilitiesToRetain.insert("CAP_NET_RAW");
+        });
 #endif
       }
       else {
@@ -3295,17 +3297,22 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
 #endif /* HAVE_LIBSSL && HAVE_OCSP_BASIC_SIGN && !DISABLE_OCSP_STAPLING */
 
   luaCtx.writeFunction("addCapabilitiesToRetain", [](LuaTypeOrArrayOf<std::string> caps) {
-    if (!checkConfigurationTime("addCapabilitiesToRetain")) {
-      return;
-    }
-    setLuaSideEffect();
-    if (caps.type() == typeid(std::string)) {
-      g_capabilitiesToRetain.insert(boost::get<std::string>(caps));
+    try {
+      dnsdist::configuration::updateImmutableConfiguration([&caps](dnsdist::configuration::Configuration& config) {
+        if (caps.type() == typeid(std::string)) {
+          config.d_capabilitiesToRetain.insert(boost::get<std::string>(caps));
+        }
+        else if (caps.type() == typeid(LuaArray<std::string>)) {
+          for (const auto& cap : boost::get<LuaArray<std::string>>(caps)) {
+            config.d_capabilitiesToRetain.insert(cap.second);
+          }
+        }
+      });
+      setLuaSideEffect();
     }
-    else if (caps.type() == typeid(LuaArray<std::string>)) {
-      for (const auto& cap : boost::get<LuaArray<std::string>>(caps)) {
-        g_capabilitiesToRetain.insert(cap.second);
-      }
+    catch (const std::exception& exp) {
+      g_outputBuffer = "addCapabilitiesToRetain cannot be used at runtime!\n";
+      errlog("addCapabilitiesToRetain cannot be used at runtime!");
     }
   });
 
diff --git a/pdns/dnsdistdist/dnsdist.cc b/pdns/dnsdistdist/dnsdist.cc
index 87d13d179cdb..78f1256770ab 100644
--- a/pdns/dnsdistdist/dnsdist.cc
+++ b/pdns/dnsdistdist/dnsdist.cc
@@ -137,8 +137,6 @@ Rings g_rings;
 
 GlobalStateHolder<servers_t> g_dstates;
 
-std::set<std::string> g_capabilitiesToRetain;
-
 // we are not willing to receive a bigger UDP response than that, no matter what
 static constexpr size_t s_maxUDPResponsePacketSize{4096U};
 static size_t const s_initialUDPPacketBufferSize = s_maxUDPResponsePacketSize + DNSCRYPT_MAX_RESPONSE_PADDING_AND_MAC_SIZE;
@@ -3102,7 +3100,7 @@ static void dropPrivileges()
   }
 
   bool retainedCapabilities = true;
-  if (!g_capabilitiesToRetain.empty() && (getegid() != newgid || geteuid() != newuid)) {
+  if (!dnsdist::configuration::getImmutableConfiguration().d_capabilitiesToRetain.empty() && (getegid() != newgid || geteuid() != newuid)) {
     retainedCapabilities = keepCapabilitiesAfterSwitchingIDs();
   }
 
@@ -3133,7 +3131,7 @@ static void dropPrivileges()
        or as an unprivileged user with ambient
        capabilities like CAP_NET_BIND_SERVICE.
     */
-    dropCapabilities(g_capabilitiesToRetain);
+    dropCapabilities(dnsdist::configuration::getImmutableConfiguration().d_capabilitiesToRetain);
   }
   catch (const std::exception& e) {
     warnlog("%s", e.what());
diff --git a/pdns/dnsdistdist/dnsdist.hh b/pdns/dnsdistdist/dnsdist.hh
index 58b38cfc6bbd..4b946fd37671 100644
--- a/pdns/dnsdistdist/dnsdist.hh
+++ b/pdns/dnsdistdist/dnsdist.hh
@@ -1056,8 +1056,6 @@ extern std::vector<std::shared_ptr<DNSCryptContext>> g_dnsCryptLocals;
 bool handleDNSCryptQuery(PacketBuffer& packet, DNSCryptQuery& query, bool tcp, time_t now, PacketBuffer& response);
 bool checkDNSCryptQuery(const ClientState& clientState, PacketBuffer& query, std::unique_ptr<DNSCryptQuery>& dnsCryptQuery, time_t now, bool tcp);
 
-extern std::set<std::string> g_capabilitiesToRetain;
-
 enum class ProcessQueryResult : uint8_t
 {
   Drop,