diff --git a/etc/oidentd.conf b/etc/oidentd.conf
index a8c88e7a..f6446e51 100644
--- a/etc/oidentd.conf
+++ b/etc/oidentd.conf
@@ -1,34 +1,45 @@
-# Oidentd.conf allowing everything and giving random responses when
-# asked from root.
-# With public shells "allow" should be replaced with "deny" but when
-# there is only me, why to deny anything?
+# oidentd.conf denying everything except hiding root and allowing ZNC to
+# spoof. With only one user everything could be allowed, but if other users
+# appear out of nowhere...
 
+# * * * * *
+
+# Deny everything by default
 default {
+    default {
+        deny spoof
+        deny spoof_all
+        deny spoof_privport
+        deny random
+        deny random_numeric
+        deny numeric
+        deny hide
+    }
+}
+
+# Don't respond to ident request to root
+user root {
+    default {
+        force hide
+    }
+}
+
+# Allow user znc to spoof when *Identfile is used
+# http://wiki.znc.in/Identfile
+# touch ~/.oidentd.conf
+# chmod 644 ~/.oidentd.conf
+# chmod 711 ~
+# /msg *status loadmod identfile
+# /msg *identfile setfile ~/.oidentd.conf
+# /msg *identfile setformat global { reply "%user%" }
+user "znc" {
     default {
         allow spoof
         allow spoof_all
         allow spoof_privport
-        allow random
-        allow random_numeric
-        allow numeric
-        allow hide
+        deny random
+        deny random_numeric
+        deny numeric
+        deny hide
     }
 }
-user root {
-    default {
-        force random
-    }
-}
-
-## Allow user znc to do spoof when *Identfile is used
-#user "znc" {
-#    default {
-#        allow spoof
-#        allow spoof_all
-#        allow spoof_privport
-#        deny random
-#        deny random_numeric
-#        deny numeric
-#        deny hide
-#    }
-#}