diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 527769900..b14ef4775 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,10 +8,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.85
-PKG_RELEASE:=1
+PKG_UPSTREAM_VERSION:=2.85
+PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
+PKG_RELEASE:=$(AUTORELEASE)
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
 PKG_HASH:=ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa
 
@@ -19,7 +20,7 @@ PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 PKG_CPE_ID:=cpe:/a:thekelleys:dnsmasq
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_UPSTREAM_VERSION)
 
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
@@ -31,7 +32,8 @@ PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
-	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_tftp
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -87,6 +89,7 @@ endef
 define Package/dnsmasq/conffiles
 /etc/config/dhcp
 /etc/dnsmasq.conf
+/etc/dnsmasq.d/
 endef
 
 define Package/dnsmasq-full/config
@@ -116,6 +119,9 @@ define Package/dnsmasq-full/config
 	config PACKAGE_dnsmasq_full_broken_rtc
 		bool "Build with HAVE_BROKEN_RTC."
 		default n
+	config PACKAGE_dnsmasq_full_tftp
+		bool "Build with TFTP server support."
+		default y
 	endif
 endef
 
@@ -125,7 +131,7 @@ Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles)
 TARGET_CFLAGS += -flto
 TARGET_LDFLAGS += -flto=jobserver
 
-COPTS = -DHAVE_UBUS \
+COPTS = -DHAVE_UBUS -DHAVE_POLL_H \
 	$(if $(CONFIG_IPV6),,-DNO_IPV6)
 
 ifeq ($(BUILD_VARIANT),nodhcpv6)
@@ -140,7 +146,8 @@ ifeq ($(BUILD_VARIANT),full)
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
-		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC)
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_tftp),,-DNO_TFTP)
 	COPTS += $(if $(CONFIG_LIBNETTLE_MINI),-DNO_GMP,)
 else
 	COPTS += -DNO_AUTH -DNO_IPSET -DNO_ID
@@ -165,7 +172,7 @@ define Package/dnsmasq/install
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/neigh
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
-	$(INSTALL_CONF) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
+	$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
 	$(INSTALL_DIR) $(1)/usr/share/dnsmasq
 	$(INSTALL_CONF) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
 	$(INSTALL_CONF) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
@@ -173,6 +180,8 @@ define Package/dnsmasq/install
 	$(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
 	$(INSTALL_DIR) $(1)/usr/share/acl.d
 	$(INSTALL_DATA) ./files/dnsmasq_acl.json $(1)/usr/share/acl.d/
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/50-dnsmasq-migrate-resolv-conf-auto.sh $(1)/etc/uci-defaults
 endef
 
 Package/dnsmasq-dhcpv6/install = $(Package/dnsmasq/install)
diff --git a/package/network/services/dnsmasq/files/dhcp-script.sh b/package/network/services/dnsmasq/files/dhcp-script.sh
index 86032694c..470097bf6 100755
--- a/package/network/services/dnsmasq/files/dhcp-script.sh
+++ b/package/network/services/dnsmasq/files/dhcp-script.sh
@@ -2,45 +2,52 @@
 
 [ -f "$USER_DHCPSCRIPT" ] && . "$USER_DHCPSCRIPT" "$@"
 
+. /usr/share/libubox/jshn.sh
+
+json_init
+json_add_array env
+hotplugobj=""
+
 case "$1" in
-	add)
-		export ACTION="add"
-		export MACADDR="$2"
-		export IPADDR="$3"
-		export HOSTNAME="$4"
-		exec /sbin/hotplug-call dhcp
-	;;
-	del)
-		export ACTION="remove"
-		export MACADDR="$2"
-		export IPADDR="$3"
-		export HOSTNAME="$4"
-		exec /sbin/hotplug-call dhcp
-	;;
-	old)
-		export ACTION="update"
-		export MACADDR="$2"
-		export IPADDR="$3"
-		export HOSTNAME="$4"
-		exec /sbin/hotplug-call dhcp
-	;;
-	arp-add)
-		export ACTION="add"
-		export MACADDR="$2"
-		export IPADDR="$3"
-		exec /sbin/hotplug-call neigh
-	;;
-	arp-del)
-		export ACTION="remove"
-		export MACADDR="$2"
-		export IPADDR="$3"
-		exec /sbin/hotplug-call neigh
-	;;
-	tftp)
-		export ACTION="add"
-		export TFTP_SIZE="$2"
-		export TFTP_ADDR="$3"
-		export TFTP_PATH="$4"
-		exec /sbin/hotplug-call tftp
+	add | del | old | arp-add | arp-del)
+		json_add_string "" "MACADDR=$2"
+		json_add_string "" "IPADDR=$3"
 	;;
 esac
+
+case "$1" in
+	add)
+		json_add_string "" "ACTION=add"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	del)
+		json_add_string "" "ACTION=remove"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	old)
+		json_add_string "" "ACTION=update"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	arp-add)
+		json_add_string "" "ACTION=add"
+		hotplugobj="neigh"
+	;;
+	arp-del)
+		json_add_string "" "ACTION=remove"
+		hotplugobj="neigh"
+	;;
+	tftp)
+		json_add_string "" "ACTION=add"
+		json_add_string "" "TFTP_SIZE=$2"
+		json_add_string "" "TFTP_ADDR=$3"
+		json_add_string "" "TFTP_PATH=$4"
+		hotplugobj="tftp"
+	;;
+esac
+
+json_close_array env
+
+[ -n "$hotplugobj" ] && ubus call hotplug.${hotplugobj} call "$(json_dump)"
diff --git a/package/network/services/dnsmasq/files/dhcp.conf b/package/network/services/dnsmasq/files/dhcp.conf
index 57d6c9576..8c42ef782 100644
--- a/package/network/services/dnsmasq/files/dhcp.conf
+++ b/package/network/services/dnsmasq/files/dhcp.conf
@@ -20,8 +20,6 @@ config dnsmasq
 	#list notinterface	lo
 	#list bogusnxdomain     '64.94.110.11'
 	option localservice	1  # disable to allow DNS requests from non-local subnets
-	option filter_aaaa	0
-	option dns_redirect	1
 	option ednspacket_max	1232
 
 config dhcp lan
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index aa76a49de..ce898222f 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -903,11 +903,11 @@ dnsmasq_start()
 	append_bool "$cfg" noping "--no-ping"
 	append_bool "$cfg" rapidcommit "--dhcp-rapid-commit"
 	append_bool "$cfg" scriptarp "--script-arp"
-
+	
 	append_bool "$cfg" filter_aaaa "--filter-aaaa"
 
 	append_parm "$cfg" logfacility "--log-facility"
-
+	
 	append_parm "$cfg" mini_ttl "--min-ttl"
 
 	append_parm "$cfg" cachesize "--cache-size"
@@ -1110,6 +1110,7 @@ dnsmasq_start()
 			echo "search $DOMAIN" >> /tmp/resolv.conf
 		}
 		DNS_SERVERS="$DNS_SERVERS 127.0.0.1"
+		[ -e /proc/sys/net/ipv6 ] && DNS_SERVERS="$DNS_SERVERS ::1"
 		for DNS_SERVER in $DNS_SERVERS ; do
 			echo "nameserver $DNS_SERVER" >> /tmp/resolv.conf
 		done
@@ -1126,10 +1127,6 @@ dnsmasq_start()
 	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
 
 	procd_close_instance
-
-	config_get_bool dns_redirect "$cfg" dns_redirect 0
-	config_get dns_port "$cfg" port 53
-	[ "$dns_redirect" = 1 ] && iptables -t nat -A PREROUTING -m comment --comment "DNSMASQ" -p udp --dport 53 -j REDIRECT --to-ports $dns_port
 }
 
 dnsmasq_stop()
@@ -1147,23 +1144,6 @@ dnsmasq_stop()
 	rm -f ${BASEDHCPSTAMPFILE}.${cfg}.*.dhcp
 }
 
-iptables_clear()
-{
-	nums=$(iptables -t nat -n -L PREROUTING 2>/dev/null | grep -c "DNSMASQ")
-	if [ -n "$nums" ]; then
-		until [ "$nums" = 0 ]
-		do
-			rules=$(iptables -t nat -n -L PREROUTING --line-num 2>/dev/null | grep "DNSMASQ" | awk '{print $1}')
-			for rule in $rules
-			do
-				iptables -t nat -D PREROUTING $rule 2> /dev/null
-				break
-			done
-			nums=$(expr $nums - 1)
-		done
-	fi
-}
-
 add_interface_trigger()
 {
 	local interface ignore
@@ -1234,7 +1214,6 @@ start_service() {
 }
 
 reload_service() {
-	iptables_clear
 	rc_procd start_service "$@"
 	procd_send_signal dnsmasq "$@"
 }
@@ -1261,5 +1240,4 @@ stop_service() {
 	else
 		config_foreach dnsmasq_stop dnsmasq
 	fi
-	iptables_clear
 }
diff --git a/package/network/services/dnsmasq/files/dnsmasq_acl.json b/package/network/services/dnsmasq/files/dnsmasq_acl.json
index 00ec7d0f0..47d7c2930 100644
--- a/package/network/services/dnsmasq/files/dnsmasq_acl.json
+++ b/package/network/services/dnsmasq/files/dnsmasq_acl.json
@@ -1,4 +1,12 @@
 {
 	"user": "dnsmasq",
-	"publish": [ "dnsmasq" ]
+	"publish": [ "dnsmasq" ],
+	"access": {
+		"hotplug.dhcp": {
+			"methods": [ "call" ]
+		},
+		"hotplug.neigh": {
+			"methods": [ "call" ]
+		}
+	}
 }
diff --git a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
index 71f5e68b2..a59148600 100644
--- a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
+++ b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug
@@ -5,6 +5,7 @@ TIMEVALIDFILE="/var/state/dnsmasqsec"
 [ -f "$TIMEVALIDFILE" ] || {
 	echo "ntpd says time is valid" >$TIMEVALIDFILE
 	/etc/init.d/dnsmasq enabled && {
+		initscript=dnsmasq
 		. /lib/functions/procd.sh
 		procd_send_signal dnsmasq '*' INT
 	}