Please update dnsmasq to 2.87

Hello development team
Because dnsmasq2.87 supports nftset
Can you please update it to 2.87 in the next version?


1 Like

2.87 pre-release versions have been in testing by @ldir for some time, and also @jow has it in his staging tree.

As 2.87 has been officially released last Sunday, it might well be the time for the version bump here.

[Dnsmasq-discuss] Announce: dnsmasq-2.87.

Simon Kelley [simon at ]
Sun Sep 25 22:07:21 UTC 2022

and @ldir has already done a PR for that purpose. You could test it:

1 Like

Thanks @hnyman for posting the PR link.

I've tried to build the 2.87 supporting nft myself, but my build VM couldn't handle the extra storage required for the toolchain (vs SDKs I already have there), so it failed.

I'd very much like to test the dnsmasq-full from that PR and if anyone is building/has already built it for x86_64, please send a link!


free for life oracle cloud hosts, FTW.

sign up, and spin one up. won't be fast, but it'll get the job done.

or try the 8 core trial host, I think they last 3 mo, if you don't pay.

Google, Amazon and MS have those too, but I think Oracle are the
only ones offering free for life.

1 Like

I'm also very interested in this version of Dnsmasq due to nftset support, but I want to ask a general question about how openwrt handles the package update.

Assume the pr is merged, when will we see the new version in the opkg archive? Next dot release? Major release? I know the answer for debian or arch, but I'm not so sure about openwrt.

hello everyone is it included in the last snapshot? "dnsmaq 2.87"

No. It is still just a pull request. Not yet merged.

1 Like

Poll the packages dir of the snapshots?

Seems rather pointless, at least before the PR is actually pushed; and if you want to know when that happens, go to the PR and hit the subscribe button.

1 Like

Nifty. I’m hoping it 2.87 might improve query performance with large adblock lists.

Would it be possible to backport 2.87 to the OpenWrt 21.x series also?

The PR received a lethal dose and is in need of a champion to resuscitate.

1 Like

You should have seen a huge improvement with v2.86. I can run the full OISD list with no increase in load or latency.

The dnsmasq 2.86 package hasn't been backported to OpenWrt 21.02 so I can't easily test it out. Also, that version of dnsmasq seems to have enough serious bugs that I'm holding off on upgrading to OpenWrt 22.03 until dnsmasq 2.87 lands.

dnsmasq v2.87 will land in master soon™ (for some value of soon), chances for it to land at all in openwrt-22.03 however would be slim (non-zero, as it can be argued that it fixes a real deficiency of nftables based ipsets, but very slim, as it is a quite major change in a release code base; generally, this would be a big no-no).

Hmm. I'm not particularly interested in the nftables related improvements myself. I'm much more interested in the security bug fixes, performance, and stability improvements. Judging from the forums, dnsmasq 2.86 is rather buggy and it has several CVEs.

I don't see any breaking changes in dnsmasq 2.87. So if we bumped the package version and made no other changes to how it integrates in the system (e.g. --nftset) then wouldn't it be a relatively safe net improvement over the status quo?

1 Like

Agree - 2.86 has a breaking bug that causes it to crash outright when configured to mask IPv6 responses for specific domains. At minimum this needs to be backported to 22.03.

dnsmasq ver.2.87 x86 64 for OpenWrt 22.03.2

Please give it a try,
But in my case ,nftset is not working properly

I tried to build my domain list config in forms of




and my nft table was like

table inet vpn_table {
        set set_vpn_v4 {
                type ipv4_addr
                flags interval
                elements {
        set set_vpn_v6 {
                type ipv6_addr
                flags interval
                elements {
        ruchains {xxxxxxxxx

the ipv4 addresses were added to the nft set correctly, some how it seem like dnsmasq didn't deal with the ipv6 addddress
maybe there are something wrong with my configuarations

----mistry solved------------
Turns out it was my fault,
No need to specify the address family for each sets.
DNSMASQ will put the right in the sets according to set types.
Seems like once DNSMASQ receive a given address family, it will discard all the records that don't fit, then,there won't be any records for the following sets with different address family specified


Thank you so much, you saved me a lot of time! Seems to be working just fine with pbr on OpenWrt 22.03!

Did you implement any changes in the init script from the previously closed PR or is it just the new dnsmasq binary with the old init script?

I just compiled the package and try it on the 22.03.2 official build, did not make any changes to the old init script

Would you be so kind to build and share dnsmasq-full 2.88 ipk for OpenWrt 22.03 using this: ?

1 Like