diff --git a/misc/CMakeLists.txt b/misc/CMakeLists.txt
index 68576c4b6..17fb856ff 100644
--- a/misc/CMakeLists.txt
+++ b/misc/CMakeLists.txt
@@ -7,6 +7,8 @@ configure_file(logrotate.conf.in "${CMAKE_CURRENT_BINARY_DIR}/logrotate.conf" @O
 configure_file(syslog.conf.in "${CMAKE_CURRENT_BINARY_DIR}/syslog.conf" @ONLY)
 configure_file(com.zoneminder.systemctl.policy.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.systemctl.policy" @ONLY)
 configure_file(com.zoneminder.systemctl.rules.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.systemctl.rules" @ONLY)
+configure_file(com.zoneminder.dnsmasq.policy.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.dnsmasq.policy" @ONLY)
+configure_file(com.zoneminder.dnsmasq.rules.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.dnsmasq.rules" @ONLY)
 configure_file(com.zoneminder.arp-scan.policy.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.arp-scan.policy" @ONLY)
 configure_file(com.zoneminder.arp-scan.rules.in "${CMAKE_CURRENT_BINARY_DIR}/com.zoneminder.arp-scan.rules" @ONLY)
 configure_file(zoneminder.service.in "${CMAKE_CURRENT_BINARY_DIR}/zoneminder.service" @ONLY)
diff --git a/misc/com.zoneminder.dnsmasq.policy.in b/misc/com.zoneminder.dnsmasq.policy.in
new file mode 100644
index 000000000..006bd2e59
--- /dev/null
+++ b/misc/com.zoneminder.dnsmasq.policy.in
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>The ZoneMinder Project</vendor>
+  <vendor_url>https://www.zoneminder.com/</vendor_url>
+
+  <action id="com.zoneminder.policykit.pkexec.run-systemctl">
+    <description>Allow the ZoneMinder webuser to start/stop the dnsmasq service</description>
+    <message>The ZoneMinder webuser is trusted to start/stop dnsmasq</message>
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/bin/systemctl</annotate>
+  </action>
+
+</policyconfig>
diff --git a/misc/com.zoneminder.dnsmasq.rules.in b/misc/com.zoneminder.dnsmasq.rules.in
new file mode 100644
index 000000000..481b09af6
--- /dev/null
+++ b/misc/com.zoneminder.dnsmasq.rules.in
@@ -0,0 +1,9 @@
+// Allow www-data to manage dnsmasq.service;
+// fall back to implicit authorization otherwise.
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units" &&
+        action.lookup("unit") == "dnsmasq.service" &&
+        subject.user == "@WEB_USER@") {
+        return polkit.Result.YES;
+    }
+});