Since dnsmasq listens to loopback by default an entry for 127.0.0.1 should suffice. That is unless you specified the option --listen-address without --interface in which case the process only binds to the specified address and not to loopback.
@timbo listen to the man, he's trying to help you out here. If you want to take your privacy seriously, set up your own local recursive DNS resolver. The documentation for Unbound is excellent and despite my ISP's DNS servers being blazingly fast (confirmed using grc.com Benchmark tool), I've been incredibly happy with the redundant Pi-hole + Unbound setup for our little network.
Primary nameserver runs on a little Ubuntu Server VM (1vCPU, 1024MB RAM) and secondary runs Raspbian Lite 9.8 (stretch) on a little Raspberry Pi 3 B+, which also acts as my OpenVPN server, for safe and secure browsing (plus ad-blocking) while out and about. We're all guilty of connecting to tons of sketchy WiFi networks, you have the power and tools to take this stuff into your own hands.
If you aren't a fan of Unbound for whatever reason, there's other implementations that will give you similar levels of security/privacy (namely DoH & DNS over TLS). YMMV. I allow my Edgerouter (with dnsmasq enabled) to continue performing DHCP duties, but point those DHCP servers to my internal Unbound appliances for DNS1&2. Hope you've managed to get things in order the way you want, but I'd seriously consider what @jfb has to say. These guys know a thing or two about a thing or two, especially when it comes to DNS.
2 Likes