Comment 18 for bug 1501206

IMO instead of setting up some complicated filtering, the proper solution would be to run dnsmasq with the option

--local-service
    Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect is there are no --interface --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.

(see http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html)

The only issue here is that currently started with a lot of --interfaces and --exclude-interfaces options, that result in the above option being ignored. At least in my enviroment, though, all of these options are redundant and I can replace them with --local-service and get the bug fixed.