dnsmasq was created by Simon Kelley and first released in 2001. The project was designed as a lightweight DNS forwarder and DHCP server for small networks, filling a gap where full DNS servers like BIND were too complex and resource-heavy. It is written in C and licensed under GPL-2.0-or-later.
The name “dnsmasq” comes from “DNS” + “masquerade”, reflecting its role as a DNS proxy that masquerades as a full resolver to local clients.
- 2001: Initial release by Simon Kelley. Basic DNS forwarding and DHCP support.
- 2003-2005: Added TFTP support for PXE network boot. Gained adoption in embedded systems and home routers.
- 2006: Adopted as the default DNS/DHCP server in DD-WRT and later OpenWrt router firmware.
- 2009: Integrated into libvirt as the default DNS/DHCP provider for KVM virtual machine networks.
- 2014 (v2.70): DNSSEC validation support added. Major security milestone enabling cryptographic validation of DNS responses.
- 2015: dnsmasq fork used as the DNS engine in Pi-hole ad-blocking project.
- 2017: Adopted by Android OS as the embedded DNS resolver.
- 2018-2019: Multiple security fixes for buffer overflows and DNS rebinding vulnerabilities.
- 2023 (v2.90): Fixed CVE-2023-50387 (KeyTrap DNSSEC DoS) and CVE-2023-50868 (NSEC3 DoS). Enhanced DNSSEC validation robustness.
- 2024 (v2.91): Added DNS-0x20 encoding for cache-poisoning protection (default-off). IDN/internationalized domain support improvements.
- 2026 (v2.92): Fixed CVE-2025-12198 (heap buffer overflow in
parse_hex()). Latest stable release.
DNSSEC support has been a significant development thread:
- v2.70 (2014): Initial DNSSEC validation support with trust-anchor configuration.
- v2.80+: Improved validation performance and key management.
- v2.90 (2023): Major DNSSEC hardening – fixed KeyTrap and NSEC3 denial-of-service vulnerabilities. Improved handling of overlapping DNSKEY/RRSIG records.
- v2.92 (2026): Continued DNSSEC robustness improvements alongside the parse_hex() security fix.
¶ Adoption and Ecosystem
dnsmasq became the go-to DNS/DHCP solution for:
- Home routers: Default in OpenWrt, DD-WRT, and many embedded Linux distributions.
- Virtualization: Default DNS/DHCP for libvirt/KVM virtual networks.
- Ad-blocking: Core DNS engine in Pi-hole (uses a dnsmasq fork).
- Mobile: Embedded DNS resolver in Android OS.
- PXE boot servers: Widely used for network boot provisioning in labs and data centers.
Its lightweight footprint (~1MB RAM) and combined DNS+DHCP+TFTP functionality made it ideal for resource-constrained environments.
As dnsmasq grew in deployment, it attracted security research attention:
- Multiple buffer overflow fixes (2017-2019)
- DNS rebinding protections added
- Rate limiting and access control improvements
- CVE-2023-50387 and CVE-2023-50868: DNSSEC-related DoS vulnerabilities fixed in v2.90
- CVE-2025-12198: Heap buffer overflow in parse_hex() fixed in v2.92
The project maintains a disciplined security response, with fixes backported to stable branches where feasible.
Any questions?
Feel free to contact us. Find all contact information on our contact page.