Things you can do with dnsmasq!

I came up with some stuff that eases things a little bit with my Pi-Hole life. Some of the ideas here, I gathered from around the internet. I wanted to share my findings.

These configs are to be placed in /etc/dnsmasq.d

I do realize that these could easily be combined into a single 04-custom.conf, but for the ease of teaching myself things I can do with this, I like them seperate.

Bypass Pihole by MAC Address

What this Does:

Find the MAC Address of the device that you want to skip pihole, and go straight to OpenDNS or Google DNS servers.

Reason I made this:

I had some wifi lightbulbs that were calling home every 5 seconds. Yes, I could have simply blocked the domain, but I wanted my stats in the interface to reflect advertisements, not just blocked stuff.

Interface Fix

What this Does:

Using this conf file will allow you to use pihole dns on multiple interfaces. For me this helped fix multiple issues. Pair this conf with a good iptools firewall, to secure your pihole from your external traffic.

Reason I made this:

I am running an nginx reverse proxy on the same Pi3 as pihole. I activated the wifi, and gave it a static IP address. I have lighttpd running on wlan0 IP port 80 (using server.bind), and Nginx running on eth0 IP port 80. I ran pihole -r and reconfigured to primarily use wlan0, and the IP associated with it. I then Installed the Wally3k Block Page. This works extremely well!

Active Directory Domain adjustment

What this Does:

Let’s you add your Active Directory DNS to the pihole without wasting one of the webui slots.

Reason I made this:

I wanted these settings to be retained between installs. The tinkerer in me tends to have to reinstall often. (Can’t stop breaking things!)

Custom Redirect

What this Does:

It should allow you to send a website to an alternate address.

Reason I made this

Saw it on Reddit, seemed like a good idea in theory.

Static IP

What this Does:

This will possibly allow you to set a device name and IP associated with a mac address.

Reason I made this

I wanted to static IP devices that I reinstall often.


What this Does:

This let’s you not give an IP address to a specific mac address.

Reason I made this

If I ever catch a neighbor stealing internet, I want to try and make it a bit more difficult for them.

Please comment with some of the custom configs you have come up with, and why!

I want to see what all is possible with dnsmaq. I’ve read a bunch online, but it’s hard to tell if it’s relevant or not.

There was another conf, but i removed it from this thread.

  1. No Time Check:
    I don’t really think it is a good idea to use the dnssec-no-timecheck setting without implementing a solution to notify dnsmasq, time synchronization has been established. This will ensure correct DNSSEC validation. I’ve listed a possible solution here, but somebody on the forum suggested a better solution:
    if you make ntpd.conf DNS- independant (not the hardest thing to do), and insert the statement “ntpd -gq” right before starting the named daemon (in the start- part of /etc/init.d/bind9, see my solution 3), you don’t have to wait for some 15 minutes, as your system time is correct immediately thereafter (ntpd may not yet be running yet at that moment)…
    unfortunately, I haven’t been successful in implementing this, some help from a linux guru is welcome here…

  2. dnsmasq:
    you seem to have read this topic, to upgrade to the latest (working - running it for 2 months now) dnsmasq version. I’ve also wrote a script (if you use this, run it with sudo) to automate installation (I always install dnsmasq and dnscrypt before installing pihole), however, beware, there is no error handling!


If you tried to install dnscrypt using this wiki and these instructions, using the rar file I provided, you may want to use this script to install everything you need to get it working, again, beware, there is no error handling!

# rng tools (required for dnscrypt)
sudo apt-get -yq install rng-tools
sudo sed -i '/#HRNGDEVICE=\/dev\/null/a HRNGDEVICE=\/dev\/urandom' /etc/default/rng-tools

sudo apt-get -yq install build-essential
sudo apt-get -yq install tcpdump
sudo apt-get -yq install dnsutils
sudo apt-get -yq install libsodium-dev
sudo apt-get -yq install locate
sudo apt-get -yq install bash-completion
sudo apt-get -yq install libsystemd-dev
sudo apt-get -yq install pkg-config
mkdir -p dnsproxy
cd dnsproxy
tar -xf $file.tar.bz2
cd $file
sudo ldconfig
./configure --with-systemd
sudo make install
cd ..
cd ..
sudo useradd -r -d /var/dnscrypt -m -s /usr/sbin/nologin dnscrypt

As explained here, Put all five dnscrypt-proxy@ files in /lib/systemd/system and 04-dnscrypt.conf in /ec/dnsmasq.d.

Something I never mentioned (because it is mentioned in the wiki): You need to enable and start the proxies. This is how (assuming you used the rar file, otherwise you need to edit the instructions - correct the proxy names):

  • enable the four proxies:
sudo systemctl enable dnscrypt-proxy@d0wn-at-ns1
sudo systemctl enable dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl enable dnscrypt-proxy@d0wn-de-ns1
sudo systemctl enable dnscrypt-proxy@d0wn-se-ns1

  • start the four proxies
sudo systemctl start dnscrypt-proxy@d0wn-at-ns1
sudo systemctl start dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl start dnscrypt-proxy@d0wn-de-ns1
sudo systemctl start dnscrypt-proxy@d0wn-se-ns1

If everything went well, you should find four (4) symbolic links (one for each proxy) in /etc/systemd/system/
and another four (4 - one for each proxy) in /etc/systemd/system/

You can check the status of the proxies, using:

sudo systemctl status -l dnscrypt-proxy@*

or, for the individual proxies:

sudo systemctl status dnscrypt-proxy@d0wn-at-ns1
sudo systemctl status dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl status dnscrypt-proxy@d0wn-de-ns1
sudo systemctl status dnscrypt-proxy@d0wn-se-ns1

You should see something like this (example for one proxy):

 dnscrypt-proxy@d0wn-at-ns1.service - DNSCrypt client proxy
   Loaded: loaded (/lib/systemd/system/dnscrypt-proxy@.service; enabled)
   Active: active (running) since Fri 2017-04-14 01:09:02 CEST; 10h ago
     Docs: man:dnscrypt-proxy(8)
 Main PID: 8204 (dnscrypt-proxy)
   CGroup: /system.slice/system-dnscrypt\x2dproxy.slice/dnscrypt-proxy@d0wn-at-ns1.service
           └─8204 /usr/local/sbin/dnscrypt-proxy --resolver-name=d0wn-at-ns1 --syslog-prefix=d0wn-at-ns1 --user=dnscrypt --ephemeral-keys --edns-payload-size=4096 --logfile=/var/log/dnscry...

Apr 14 01:09:02 raspberrypi systemd[1]: Started DNSCrypt client proxy.
Apr 14 01:09:02 raspberrypi dnscrypt-proxy[8204]: Fri Apr 14 01:09:02 2017 [INFO] d0wn-at-ns1 + DNS Security Extensions are supported
Apr 14 01:09:02 raspberrypi dnscrypt-proxy[8204]: Fri Apr 14 01:09:02 2017 [INFO] d0wn-at-ns1 + Provider supposedly doesn't keep logs

Notice the active (running)

Another thing I never mentioned (because it is mentioned in the wiki): Your proxies might not start because your dnscrypt-resolvers.csv is outdated

You have to create (I’ve placed in /home/pi) and make it executable.

  • execute the script: sudo ./
  • create a cron file in /etc/cron.d/dnscrypt (or whatever you want to call it):
09 1    * * *   root    PATH="$PATH:/home/pi/" /home/pi/

A last remark: the proxies will NOT start if your pi’s time is incorrect, so you need to ensure time is as accurate as possible. If time is “way of” you’ll find some certificate messages in /var/log/dnscrypt-proxy.log (that is if you used the rar file configuration, which enables logging)


I’ll check out your suggestions, as for the conf file, I don’t have it installed right now.

I’m going to type stuff into this comment as I continue through this, sorry for any weird insane ramblings… I’m doing this on my existing Pihole, which I’ve re-setup so many times, that I’ve streamlined the process considerably.

At time of writing, I’m about half-way(ish) though your process. Do you mind if I help you make an easier to follow write-up on this? No offence, but your’s is a tough act to follow (especially when bouncing between pages).

I like to cheat at setup processes, and host things on github, with instructions. If you like these, I can add you as a contributor. I do not intend on taking any credit for your work/efforts, but i want to help get this up and running for more people.

Here’s the links:

Your .rar file was actually blocked by my pihole, so I had to download it and add the contents to github. I then modified your script to wget the files and place them into the correct directories as mentioned

I see in one of the links you created a 04-dnscrypt.conf file to hold settings. From reading on here, the files are read in a “lexicographic” manner, meaning the bigger number you use it will be the “final say”. since settings in the default pihole files. I may be mistaken, but I believe that with dnsmasq you could potentially “exclude server=” in your conf.

Another idea I had, is we could look at adding some errorhandling to these scripts.

I renamed 04-dnscrypt.conf to 50-dnscrypt.conf, because idk how many conf scripts one person might have, and we want the settings in this file to stick.

I’m towards the end now, and I am getting

Failed to execute operation: No such file or directory

when I try to enable the four proxies.

I just check the directories




The second directory does not contain the files.

Any Idea how to fix?

Continuing reading through your stuff, what should be the contents of ?

additional thought I had, is using ntp, we could make some sort of cronjob to update the time every hour of so…

  • I’ve done this (dnsmasq & dnscrypt) on an existing (running) pihole and on a fresh raspbian installation, both methods work. I’ve tested the scrips dozens of times before I published them. I’ve made it a habit to reinstall my pi whenever a new release of raspbian is published, so I ran this just earlier this week (raspbian jessie lite april 2017).
  • dnsmasq and dnscrypt are two different things. You can run an updated version of dnsmasq without dnscrypt, you can also run dnscrypt without an updated version of dnsmasq. The only reason I update them both is because DNSSEC will not function correctly, using dnscrypt resolvers, unless dnsmasq is also at least v2.77test4. I’ve been running dnsmasq v2.77test4 and dnscrypt v1.9.4 for two months now, without any problems!
  • You can put the “server=” settings in any file you want to, dnsmasq processes all the files in /etc/dnsmasq.d. I just used 04 because pihole is already using 01 (pihole core), 02 (pihole dhcp), 03 (pihole wildcards). The only thing required to get dnsmasq working, using dnscrypt resolvers, is to remove all “server=” settings from other dnsmasq configuration files. This is because dnsmasq will try to find the fastest configured resolver (every 20 seconds OR 50 queries). You will notice that if you look at the pihole log, whenever the requirements are met (see above), you will see dnsqueries to all of the resolvers.
  • the steps to update (or install, if pihole isn’t running yet) dnsmasq:
    run the update script
    check if installation was successful: dnsmasq --version
  • the steps to install dnscrypt:
    run the script I listed above
    copy the five dnscrypt-proxy@ files (from the rar file) in /lib/systemd/system
    reboot (this is required to start dnscrypt-proxy with the new configuration. The wiki says you should run sudo systemctl daemon-reload, but I found this doesn’t always work, so reboot
    enable the proxies (they are loaded due to the reboot, but possibly not enabled - the wiki also clearly explaines that)
    start the proxies (they are loaded and enabled in the previous steps but not started - again see wiki)
    check the proxy status
    the proxies are now running, you can verify functionality by testing them with dig:
dig @ -p 5551
dig @ -p 5552
dig @ -p 5553
dig @ -p 5554

Now, all you have to do is tell dnsmasq to use the dnscrypt-proxies resolvers. That is why I simply copy the 04 conf file in /etc/dnsmasq.d AND remove all other server settings (nomally only from 01-pihole.conf). You also have to empty the PIHOLE_DNS_x= settings in /etc/pihole/setupVars.conf (again, it’s in the wiki)
test your new dnsmasq settings: dnsmasq --test
restart dnsmasq: sudo service dnsmasq restart

  • The content of is listed at the end of the wiki article, section Additional step: Update dnscrypt-resolvers.csv regulary

  • I can’t comment on the “failed to execute operation”, you should mention the point in the process you completed successfully , but I suspect you tried to enable the proxies before they where even loaded…

  • If you can’t follow instruction across documents, I suggest you print at least the wiki. Apart from the files in the rar file (replacements for the files in the wiki), just about everything is covered in there.

  • If you configured NTP correctly, there is absolutely no need for a cron job or any other intervention. I explained in my basic pihole installation manual how to configure ntp (section 4.12). This will ensure time is synchronized. It takes about 15 minutes for time to synchronize, this is the reason I started using dnssec-no-timecheck, as discussed earlier (with the script to inform dnsmasq).

  • If you run into an error, you should at least check /var/log/syslog and /var/log/dnscrypt-proxy.log. They provide valuable info about what is going on (or wrong)

Don’t do that, I don’t want that. I have no control over what you publish

after a reboot, dnsmasq fails to start, investigating

dnsmasq --test to check the files

that’s what’s odd, test come out clean

what is the version you’re running now?
dnsmasq --version

Dnsmasq version 2.77test4 Copyright © 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

check the pihole log, whenever dnsmasq starts (sudo service dnsmasq start), it logs something like

Apr 14 19:29:01 dnsmasq[16988]: started, version 2.77test4 cachesize 10000
Apr 14 19:29:01 dnsmasq[16988]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Apr 14 19:29:01 dnsmasq[16988]: DNSSEC validation enabled
Apr 14 19:29:01 dnsmasq[16988]: DNSSEC signature timestamps not checked until first cache reload
Apr 14 19:29:01 dnsmasq[16988]: warning: ignoring resolv-file flag because no-resolv is set
Apr 14 19:29:01 dnsmasq[16988]: using nameserver
Apr 14 19:29:01 dnsmasq[16988]: using nameserver
Apr 14 19:29:01 dnsmasq[16988]: using nameserver
Apr 14 19:29:01 dnsmasq[16988]: using nameserver
Apr 14 19:29:01 dnsmasq[16988]: using local addresses only for domain localdomain
Apr 14 19:29:01 dnsmasq[16988]: read /etc/hosts - 13 addresses
Apr 14 19:29:01 dnsmasq[16988]: read /etc/pihole/local.list - 2 addresses

Pihole won’t have any new logs, if dnsmasq won’t start.

sudo service dnsmasq start

Job for dnsmasq.service failed. See ‘systemctl status dnsmasq.service’ and ‘journalctl -xn’ for details.

systemctl status dnsmasq.service

dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled)
Drop-In: /run/systemd/generator/dnsmasq.service.d
└─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
Active: failed (Result: exit-code) since Fri 2017-04-14 13:30:58 EDT; 6s ago
Process: 10655 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=2)
Process: 10651 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)

suggestion from this article:

systemctl, when used to start dnsmasq is not very verbose. Just try to start the service just like this:
sudo dnsmasq

If it start all right, to stop it:
sudo kill -9 $(pidof dnsmasq)

okay, so apparently port 53 is already in use

what other packages have you installed?

none that I can think of that would use port 53

I’m going to completely remove dnsmasq, then reinstall it, see if that helps

you can find out who’s using port 53 with: sudo lsof -i -P

On my system, something like this comes up (dnsmasq uses port 53 (UDP/TCP):

systemd       1     root   47u  IPv4   6937      0t0  TCP d0wn-se-ns1.dns:5554 (LISTEN)
systemd       1     root   48u  IPv4   6938      0t0  UDP d0wn-se-ns1.dns:5554
systemd       1     root   49u  IPv4   6944      0t0  TCP d0wn-de-ns1.dns:5553 (LISTEN)
systemd       1     root   50u  IPv4   6945      0t0  UDP d0wn-de-ns1.dns:5553
systemd       1     root   51u  IPv4   6946      0t0  TCP d0wn-at-ns1.dns:5551 (LISTEN)
systemd       1     root   52u  IPv4   6947      0t0  UDP d0wn-at-ns1.dns:5551
systemd       1     root   53u  IPv4   6942      0t0  TCP d0wn-nl-ns3.dns:5552 (LISTEN)
systemd       1     root   54u  IPv4   6943      0t0  UDP d0wn-nl-ns3.dns:5552
avahi-dae   381    avahi   12u  IPv4   8641      0t0  UDP *:5353
avahi-dae   381    avahi   13u  IPv6   8642      0t0  UDP *:5353
avahi-dae   381    avahi   14u  IPv4   8643      0t0  UDP *:36195
avahi-dae   381    avahi   15u  IPv6   8644      0t0  UDP *:53676
dhcpcd      560     root    8u  IPv4   7024      0t0  UDP *:68
sshd        561     root    3u  IPv4  12054      0t0  TCP *:22 (LISTEN)
sshd        561     root    4u  IPv6  12056      0t0  TCP *:22 (LISTEN)
perl       1265     root    5u  IPv4  12528      0t0  TCP *:10000 (LISTEN)
perl       1265     root    6u  IPv4  12529      0t0  UDP *:10000
lighttpd   7004 www-data    5u  IPv4  19498      0t0  TCP *:80 (LISTEN)
lighttpd   7004 www-data    6u  IPv6  19499      0t0  TCP *:80 (LISTEN)
dnscrypt-  8200 dnscrypt    3u  IPv4   6942      0t0  TCP d0wn-nl-ns3.dns:5552 ( LISTEN)
dnscrypt-  8200 dnscrypt    4u  IPv4   6943      0t0  UDP d0wn-nl-ns3.dns:5552
dnscrypt-  8200 dnscrypt   11u  IPv4 105583      0t0  UDP *:58839
dnscrypt-  8204 dnscrypt    3u  IPv4   6946      0t0  TCP d0wn-at-ns1.dns:5551 (LISTEN)
dnscrypt-  8204 dnscrypt    4u  IPv4   6947      0t0  UDP d0wn-at-ns1.dns:5551
dnscrypt-  8204 dnscrypt   11u  IPv4 105593      0t0  UDP *:52244
dnscrypt-  8206 dnscrypt    3u  IPv4   6937      0t0  TCP d0wn-se-ns1.dns:5554 (LISTEN)
dnscrypt-  8206 dnscrypt    4u  IPv4   6938      0t0  UDP d0wn-se-ns1.dns:5554
dnscrypt-  8206 dnscrypt   11u  IPv4 104165      0t0  UDP *:46047
dnscrypt-  8207 dnscrypt    3u  IPv4   6944      0t0  TCP d0wn-de-ns1.dns:5553 (LISTEN)
dnscrypt-  8207 dnscrypt    4u  IPv4   6945      0t0  UDP d0wn-de-ns1.dns:5553
dnscrypt-  8207 dnscrypt   11u  IPv4 105699      0t0  UDP *:53298
ntpd      12543      ntp   16u  IPv4 115590      0t0  UDP *:123
ntpd      12543      ntp   17u  IPv6 115591      0t0  UDP *:123
ntpd      12543      ntp   18u  IPv4 115596      0t0  UDP localhost:123
ntpd      12543      ntp   19u  IPv4 115597      0t0  UDP raspberrypi.localdomain:123
ntpd      12543      ntp   20u  IPv6 115598      0t0  UDP localhost:123
ntpd      12543      ntp   21u  IPv6 115599      0t0  UDP [fe80::3e65:bd8d:89da:9178]:123
sshd      15938     root    3u  IPv4 127795      0t0  TCP raspberrypi.localdomain:22->hp7900.localdomain:49180 (ESTABLISHED)
sshd      15946       pi    3u  IPv4 127795      0t0  TCP raspberrypi.localdomain:22->hp7900.localdomain:49180 (ESTABLISHED)
sshd      15960     root    3u  IPv4 127806      0t0  TCP raspberrypi.localdomain:22->hp7900.localdomain:49181 (ESTABLISHED)
sshd      15965       pi    3u  IPv4 127806      0t0  TCP raspberrypi.localdomain:22->hp7900.localdomain:49181 (ESTABLISHED)
dnsmasq   16988  dnsmasq    4u  IPv4 133266      0t0  UDP *:53
dnsmasq   16988  dnsmasq    5u  IPv4 133267      0t0  TCP *:53 (LISTEN)
dnsmasq   16988  dnsmasq    6u  IPv6 133268      0t0  UDP *:53
dnsmasq   16988  dnsmasq    7u  IPv6 133269      0t0  TCP *:53 (LISTEN)

I found the culprit


now i have to figure out how to remove that

this means that you have another configuration file for dnscrypt somewhere (apart from the five files from the rar file)!