Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It as also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.
A note about why the server=/example.net/ by default always should be used over the address=/example.net/directive within BlackLists
According to the man page of dnsmasq there is a very important note for the usage of the address directive.
This clearly indicates that most "guides" is dead wrong in there approaches for giving the best advises, go figure...
Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated --address flags. To include multiple IP addresses for a single query, use --addn-hosts=<path> instead. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/184.108.40.206 will always return 220.127.116.11 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
Source: man dnsmasq
From the above we can see that best practice to block unwanted content and at the same time be able to allow WhiteListed contents is to use the --address directive within a BlackLists as it allows to use wild-carding for blocking domains with shady purpose as ex. example.com or example.net and yet allow to actually whitelist exceptionally needed subdomains by using the --server directive.
The BlackLists file should therefore be formatted as:
address=/example.org/ # Block all domains that belongs # to example.org with NXDOMAIN # response server=/www.example.org/18.104.22.168 # UnBlock and forward this # specific DNS name to your # DNS-recursor as usual