diff --git a/iodine.c b/iodine.c
index edabf97..732ffdd 100644
--- a/iodine.c
+++ b/iodine.c
@@ -105,14 +105,16 @@ extern char *__progname;
 
 static void
 usage() {
-	printf("Usage: %s [-v] [-h] [-f] [-u user] nameserver topdomain\n", __progname);
+	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] "
+			"nameserver topdomain\n", __progname);
 	exit(2);
 }
 
 static void
 help() {
 	printf("iodine IP over DNS tunneling client\n");
-	printf("Usage: %s [-v] [-h] [-f] [-u user] nameserver topdomain\n", __progname);
+	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] "
+			"nameserver topdomain\n", __progname);
 	printf("  -f is to keep running in foreground\n");
 	printf("  -u name to drop privileges and run as user 'name'\n");
 	exit(0);
@@ -129,17 +131,18 @@ version() {
 int
 main(int argc, char **argv)
 {
+	int choice;
 	int tun_fd;
 	int dns_fd;
-	int choice;
+	char *newroot;
 	char *username;
-	struct passwd *pw;
 	int foreground;
+	struct passwd *pw;
 
 	username = NULL;
 	foreground = 0;
 	
-	while ((choice = getopt(argc, argv, "vfhu:")) != -1) {
+	while ((choice = getopt(argc, argv, "vfhu:t:")) != -1) {
 		switch(choice) {
 		case 'v':
 			version();
@@ -153,9 +156,12 @@ main(int argc, char **argv)
 		case 'u':
 			username = optarg;
 			break;
+		case 't':
+			newroot = optarg;
+			break;
 		default:
 			usage();
-			break;
+			/* NOTREACHED */
 		}
 	}
 	
@@ -167,9 +173,8 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 	
-	if (argc != 2) {
+	if (argc != 2) 
 		usage();
-	}
 	
 	if(username) {
 		pw = getpwnam(username);
@@ -183,6 +188,13 @@ main(int argc, char **argv)
 	dns_fd = open_dns(argv[0], argv[1]);
 
 	signal(SIGINT, sigint);
+
+	if (newroot) {
+		if (chroot(newroot) != 0 || chdir("/") != 0)
+			err(1, "%s", newroot);
+		seteuid(geteuid());
+		setuid(getuid());
+	}
 	
 	if (!foreground) {
 		daemon(0, 0);
diff --git a/iodined.c b/iodined.c
index 5c25ade..ae1e878 100644
--- a/iodined.c
+++ b/iodined.c
@@ -108,14 +108,15 @@ extern char *__progname;
 
 static void
 usage() {
-	printf("Usage: %s [-v] [-h] [-f] [-u user] topdomain\n", __progname);
+	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] topdomain\n", __progname);
 	exit(2);
 }
 
 static void
 help() {
 	printf("iodine IP over DNS tunneling server\n");
-	printf("Usage: %s [-v] [-h] [-f] [-u user] topdomain\n", __progname);
+	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] "
+		   "topdomain\n", __progname);
 	printf("  -f to keep running in foreground\n");
 	printf("  -u name to drop privileges and run as user 'name'\n");
 	exit(0);
@@ -132,17 +133,18 @@ version() {
 int
 main(int argc, char **argv)
 {
+	int choice;
 	int tun_fd;
 	int dnsd_fd;
-	int choice;
+	char *newroot;
 	char *username;
-	struct passwd *pw;
 	int foreground;
+	struct passwd *pw;
 
 	username = NULL;
 	foreground = 0;
 	
-	while ((choice = getopt(argc, argv, "vfhu:")) != -1) {
+	while ((choice = getopt(argc, argv, "vfhu:t:")) != -1) {
 		switch(choice) {
 		case 'v':
 			version();
@@ -156,9 +158,12 @@ main(int argc, char **argv)
 		case 'u':
 			username = optarg;
 			break;
+		case 't':
+			newroot = optarg;
+			break;
 		default:
 			usage();
-			break;
+			/* NOTREACHED */
 		}
 	}
 
@@ -170,9 +175,8 @@ main(int argc, char **argv)
 		usage();
 	}
 
-	if (argc != 1) {
+	if (argc != 1) 
 		usage();
-	}
 
 	if (username) {
 		pw = getpwnam(username);
@@ -185,6 +189,13 @@ main(int argc, char **argv)
 	tun_fd = open_tun();
 	dnsd_fd = open_dnsd(argv[0]);
 
+	if (newroot) {
+		if (chroot(newroot) != 0 || chdir("/") != 0)
+			err(1, "%s", newroot);
+		seteuid(geteuid());
+		setuid(getuid());
+	}
+	
 	if (!foreground) {
 		daemon(0, 0);
 		umask(0);