To install dnsmasq on Debian in a way that integrates smoothly with your existing Tor + Unbound + Pi-hole setup, follow these steps:
1. Install dnsmasq
apt update && apt install -y dnsmasq
2. Disable Systemd-Resolved (If Active)
Debian systems sometimes use systemd-resolved, which can conflict with dnsmasq. Check if it’s running:
systemctl is-active systemd-resolved
If active, disable and stop it:
systemctl disable --now systemd-resolved
Then remove the symlink and restore /etc/resolv.conf:
rm -f /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
3. Configure dnsmasq
Edit the config file:
nano /etc/dnsmasq.conf
Add or modify the following lines to integrate with Unbound + Tor:
ini
# Use a specific DNS server (your Unbound instance)
server=127.0.0.1#5335
# Ensure dnsmasq does not cache (Unbound handles caching)
cache-size=0
# Local domain and upstream queries
domain-needed
bogus-priv
# Set the DHCP option for DNS servers
dhcp-option=6,192.168.1.2
# Optional: Enable DHCP if needed
# interface=eth0
# dhcp-range=192.168.1.50,192.168.1.150,12h
Note: If Unbound listens on port
5335, ensureserver=127.0.0.1#5335is set. If not, adjust accordingly.
4. Restart and Enable dnsmasq
systemctl restart dnsmasq
systemctl enable dnsmasq
5. Verify It’s Working
Run:
systemctl status dnsmasq
And test DNS resolution:
nslookup example.com 127.0.0.1
You should see a valid response.
This setup ensures that:
dnsmasqforwards queries to Unbound (which, in turn, uses Tor for anonymous lookups).- Pi-hole can still function as an ad-blocking DNS.
- DHCP clients use
dnsmasqas their DNS resolver.
