diff --git a/CHANGES b/CHANGES
index 34809457c1..131d62e8b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+3.1.0-dev.406 | 2020-01-28 12:42:25 -0800
+
+  * util: use getrandom() on Linux if available (Max Kellermann)
+
+    Unlike /dev/urandom, getrandom() doesn't need a file descriptor and
+    works when there is no /dev.  It requires Linux 3.17 and glibc 2.25,
+    but there is a fallback to the old code.
+
 3.1.0-dev.403 | 2020-01-24 15:15:04 -0800
 
   * Fixed decompose_uri() errors on URIs with empty port component (Frerich Raabe)
diff --git a/VERSION b/VERSION
index f0fca4b3d7..31938472a9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.1.0-dev.403
+3.1.0-dev.406
diff --git a/src/util.cc b/src/util.cc
index 18a4defde5..519c7ba35d 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -55,6 +55,13 @@
 
 #include "3rdparty/doctest.h"
 
+#ifdef __linux__
+#if __has_include(<sys/random.h>)
+#define HAVE_GETRANDOM
+#include <sys/random.h>
+#endif
+#endif
+
 TEST_CASE("util extract_ip")
 	{
 	CHECK(extract_ip("[1.2.3.4]") == "1.2.3.4");
@@ -1035,6 +1042,14 @@ void init_random_seed(const char* read_file, const char* write_file)
 			seeds_done = true;
 		}
 
+#ifdef HAVE_GETRANDOM
+	if ( ! seeds_done )
+		{
+		ssize_t nbytes = getrandom(buf, sizeof(buf), 0);
+		seeds_done = nbytes == ssize_t(sizeof(buf));
+		}
+#endif
+
 	if ( ! seeds_done )
 		{
 		// Gather up some entropy.