Q: Why does dnsmasq open UDP ports >1024 as well as port 53. Is this a security problem/trojan/backdoor? A: The high ports that dnsmasq opens is for replies from the upstream nameserver(s). Queries from dnsmasq to upstream nameservers are sent from these ports and replies received to them. The reason for doing this is that most firewall setups block incoming packets _to_ port 53, in order to stop DNS queries from the outside world. If dnsmasq sent its queries from port 53 the replies would be _to_ port 53 and get blocked. This is not a security hole since dnsmasq will only accept replies to that port: queries are dropped. The replies must be to oustanding queries which dnsmasq has forwarded, otherwise they are dropped too. Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify that? A: Yes, they do, so technically dnsmasq is not RFC-compliant. In practice, the sorts of queries which dnsmasq is used for are always sent via UDP. Adding TCP support would make dnsmasq much more heavyweight for no practical benefit. If you really want to do zone transfers, forward port 53 TCP using in-kernel port-forwarding or a port-fowarder like rinetd. Q: When I send SIGUSR1 to dump the contents of the cache, some entries have no IP address and are for names like mymachine.mydomain.com.mydomain.com. What are these? A: They are negative entries: that's what the N flag means. Dnsmasq asked an upstream nameserver to resolve that address and it replied "doesn't exist, and won't exist for hours" so dnsmasq saved that information so that if _it_ gets asked the same question it can answer directly without having to go back to the upstream server again. The strange repeated domains result from the way resolvers search short names. See "man resolv.conf" for details. Q: Will dnsmasq compile/run on non-Linux systems? A: Yes, there is explicit support for *BSD and Solaris. For other systems, try altering the settings in config.h. Q: My companies' nameserver knows about some names which aren't in the public DNS. Even though I put it first in /etc/resolv.conf, it dosen't work: dnsmasq seems not to use the nameservers in the order given. What am I doing wrong? A: By default, dnsmasq treats all the nameservers it knows about as equal: it picks the one to use using an algorithm designed to avoid nameservers which aren't responding. To make dnsmasq use the servers in order, give it the -o flag. If you want some queries sent to a special server, think about using the -S flag to give the IP address of that server, and telling dnsmasq exactly which domains to use the server for.