This page covers common configuration scenarios for dnsmasq deployments.
/etc/dnsmasq.conf/etc/dnsmasq.d/ (use conf-dir=/etc/dnsmasq.d to include all .conf files)/etc/hosts (dnsmasq reads local host entries by default)/etc/resolv.conf (upstream nameservers, or override with resolv-file=)# Listen on specific interface only
interface=eth0
listen-address=127.0.0.1,192.168.1.1
# Do not listen on other interfaces
except-interface=lo
# Bind only to listed addresses (do not wildcard-listen)
bind-interfaces
# Use specific upstream resolvers
server=8.8.8.8
server=1.1.1.1
# Conditional forwarding: send .internal queries to a specific server
server=/internal/10.0.0.2
# Use resolv.conf for upstream servers
# resolv-file=/etc/resolv.conf
# Cache size (default 150, set to 0 to disable)
cache-size=1000
# Negative cache TTL for non-existent domains
neg-ttl=3600
DNSSEC is supported since v2.70 (2014) and enhanced in v2.90/v2.92.
# Enable DNSSEC validation
dnssec
dnssec-check-unsigned
# Trust anchor (root key)
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
Available since v2.91, default-off. Adds case randomization to DNS queries.
# Enable DNS-0x20 encoding
dns-0x20
Serve authoritative records for local domains:
# Authoritative for local domain
local=/lan/
domain=lan
# Add local domain to unqualified hostnames
expand-hosts
# Enable IDN support
enable-idn
# IPv4 DHCP range with lease time
dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0,24h
# Static lease by MAC address
dhcp-host=00:11:22:33:44:55,192.168.1.50,webserver
# Default gateway
dhcp-option=option:router,192.168.1.1
# DNS server
dhcp-option=option:dns-server,192.168.1.1
# NTP server
dhcp-option=option:ntp-server,192.168.1.1
# IPv6 DHCP range
dhcp-range=::,constructor:eth0,ra-stateless,ra-names
# Enable Router Advertisement for SLAAC
enable-ra
# Enable TFTP server
enable-tftp
tftp-root=/var/lib/tftpboot
# PXE boot filename
dhcp-boot=pxelinux.0
# Log DNS queries
log-queries
# Log DHCP activity
log-dhcp
# Log to a specific file
log-facility=/var/log/dnsmasq.log
After editing the configuration, validate and reload:
# Test configuration syntax
dnsmasq --test
# Reload without restarting (sends SIGHUP)
sudo systemctl reload dnsmasq
# Or restart the service
sudo systemctl restart dnsmasq
Run test lookups to confirm configuration:
# Basic lookup
dig @127.0.0.1 example.com
# Check cache behavior (second query should be faster)
dig @127.0.0.1 example.com
# Verify DNSSEC (if enabled)
dig @127.0.0.1 example.com +dnssec
# Check DHCP lease file
cat /var/lib/misc/dnsmasq.leases
Running dnsmasq in regulated environments? We assist with:
Secure your deployment: office@linux-server-admin.com | Contact Page