[ ← Back Home ]

Last modified on September 13, 2022


Ports required: 53

Table of Contents

Dnsmasq is a libre DNS and DHCP system that allows anyone to run a DNS server to resolve domains. Normally to block domains and ads, users on most operating systems can edit their /etc/hosts file or use one of the many existing ad-blocking hosts collections available online. However, if you’re trying to block ads over your entire home network and do not have access to your router’s hosts file, then setting up your own DNS server can be very advantageous.

This also comes with the benefit of increased flexibility regarding name resolution; for example, with Dnsmasq, you can employ the usage of wildcard domains to block massive ranges of ads, trackers and entire social media networks.

Before we begin…

while Dnsmasq is very versatile software that can be used for a variety of networking and DNS applications, this guide assumes you only want to setup Dnsmasq to block domains from resolving (i.e. ads and social media sites). It is possible to get custom domain resolution and internal network services running using Dnsmasq, but this is beyond the scope of this article.


Dnsmasq is available in the Debian repositories:

apt install dnsmasq


Basic configuration

By default, Dnsmasq will start a DNS server listening on localhost:53. You can even test this if you have the bind9 package installed:

dig @localhost example.org

This command should return the A DNS records for example.org.

We can configure Dnsmasq to listen on the public internet by editing its config file, /etc/dnsmasq.conf. In this file, you’ll find this line, commented out:


We need to specify the interface we wish to listen on to provide the DNS service. In most cases (such as when using a Debian VPS) this will simply be eth0. However, please run ip a to determine which interface is correct for your system, if you’re unsure.


It’s also highly recommended to uncomment this following line, just to prevent Dnsmasq from forwarding requests to local names.


Now all we have to do is restart Dnsmasq’s systemd service:

systemctl restart dnsmasq

And, on our local machine, we can try using the bind9 utilities to test our DNS server:

dig @your_servers_public_ip example.org

This should return the correct A DNS records for example.org, like when testing using localhost.

Changing Authoritative DNS Providers

By default, Dnsmasq will use the DNS servers provided in /etc/resolv.conf. You can change this file directly, altering DNS resolution for your entire system:

# Quad9 DNS Server

Blocking DNS Requests

Using a Hostsfile

As mentioned previously, one of Dnsmasq’s advantages is that it can read /etc/hosts and other host resolution files. This makes it 100% compatible with existing ad-blocking hosts files.     www.youtube.com     www.reddit.com

This hosts file blocks www.youtube.com and www.reddit.com.

To read another hosts file, in addition to /etc/hosts, you can use the following in /etc/dnsmasq:


The only complication is that every time you update the hosts file, Dnsmasq must be restarted:

systemctl restart dnsmasq

Using Dnsmasq’s Configuration

For more advanced forms of DNS blocking, such as domain wildcards, you can edit /etc/dnsmasq.conf directly:


This configuration will block all requests to netflix.com and its subdomains. This way you don’t need a massive hosts file containing every single possible subdomain. All you need to know is the root domain.

And as usual, remember to restart the Dnsmasq systemd service every time the configuration is altered.

systemctl restart dnsmasq

Using Dnsmasq

If you intend to use your new DNS server on your home network, this is as easy as setting your primary DNS resolver in your router’s settings to your DNS server’s public IP address.

For example, on a local Linux machine, you could edit /etc/resolv.conf:

nameserver  your_servers_public_ip

Generally this should be an intuitive process on most router interfaces, and most OS’ will let you edit the DNS in their respective network settings.