diff --git a/package/gluon-wan-dnsmasq/files/etc/init.d/gluon-wan-dnsmasq b/package/gluon-wan-dnsmasq/files/etc/init.d/gluon-wan-dnsmasq
index 6f5daa63fd334e5bdaae4ad5b3b5ab757c12217d..6203383d1688e63a33e16f75fd06deac5286f493 100755
--- a/package/gluon-wan-dnsmasq/files/etc/init.d/gluon-wan-dnsmasq
+++ b/package/gluon-wan-dnsmasq/files/etc/init.d/gluon-wan-dnsmasq
@@ -8,12 +8,29 @@ RESOLV_CONF_DIR=/var/gluon/wan-dnsmasq
 RESOLV_CONF=$RESOLV_CONF_DIR/resolv.conf
 
 start_service() {
+	mkdir -p /var/run/dnsmasq/
 	mkdir -p $RESOLV_CONF_DIR
 	touch "$RESOLV_CONF"
 
 	procd_open_instance
-	procd_set_param command /usr/sbin/dnsmasq -u root -i lo -p 54 -h -k -c 0 -r $RESOLV_CONF
+	procd_set_param command /usr/sbin/dnsmasq \
+		--user=dnsmasq \
+		--group=dnsmasq \
+		--interface=lo \
+		--port=54 \
+		--no-hosts \
+		--keep-in-foreground \
+		--pid-file=/var/run/dnsmasq/gluon-wan-dnsmasq.pid \
+		--cache-size=0 \
+		--resolv-file=$RESOLV_CONF
 	procd_set_param env LD_PRELOAD=libpacketmark.so LIBPACKETMARK_MARK=1
 	procd_set_param respawn 60 5 5
+
+	procd_add_jail dnsmasq log
+	procd_add_jail_mount $RESOLV_CONF_DIR
+	procd_add_jail_mount /usr/lib/libpacketmark.so
+	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ
+	procd_add_jail_mount_rw /var/run/dnsmasq/
+
 	procd_close_instance
 }