diff --git a/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch b/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch
new file mode 100644
index 0000000..fa0404e
--- /dev/null
+++ b/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch
@@ -0,0 +1,106 @@
+From 4cab3d930f9236408b838adfdaaeb6508a928bbf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 9 Jun 2023 22:11:01 +0200
+Subject: [PATCH] Use serv_domain only for regular servers
+
+Do not try to use it for --local=/x/ or --address=/x/#. Some users use
+quite long list of blocks, which slows down walking trough domain list
+considerably. But searching by server_domain_find_domain is needed only
+for normal servers, which may store there last used server and number
+of recent forwarded queries. Local addresses overrides store there no
+useful information, avoid searching and adding new domains for such
+records.
+
+Would also speed up searching servers when blocklists are used, because
+only domains of servers are tested.
+
+Resolves: rhbz#2209031
+---
+ src/forward.c |  4 ++--
+ src/option.c  | 13 ++++++++-----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index d8e845a..989fb61 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -234,8 +234,8 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp, unsigne
+       *type = 0; /* use normal servers for this domain */
+       *domain = NULL;
+     }
+-  if (serv_domain && !*serv_domain)
+-    *serv_domain = server_domain_find_domain(*domain);
++  if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0)
++    *serv_domain = server_domain_find_domain(NULL);
+   return  flags;
+ }
+ 
+diff --git a/src/option.c b/src/option.c
+index 1382c55..b22fc90 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -906,7 +906,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
+   p += sprintf(p, "in-addr.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
+-  server_domain_new(serv);
++  serv->serv_domain = NULL;
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+ 
+@@ -931,7 +931,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
+   p += sprintf(p, "ip6.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
+-  server_domain_new(serv);
++  serv->serv_domain = NULL;
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+   
+@@ -2246,7 +2246,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+-				  server_domain_new(serv);
++				  serv->serv_domain = NULL;
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2291,7 +2291,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+-				  server_domain_new(serv);
++				  serv->serv_domain = NULL;
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2542,7 +2542,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 		newlist = serv;
+ 		serv->domain = domain;
+ 		serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
+-		server_domain_new(serv);
++		serv->serv_domain = NULL;
+ 		arg = end;
+ 		if (rebind)
+ 		  break;
+@@ -2594,6 +2594,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 	        server_list_free(newlist);
+ 	        ret_err(err);
+ 	      }
++	    if ((newlist->flags & SERV_LITERAL_ADDRESS)==0)
++	      server_domain_new(newlist);
+ 	  }
+ 	
+ 	serv = newlist;
+@@ -2637,6 +2639,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 	else
+ 	  ret_err(gen_err);
+  
++	server_domain_new(serv);
+ 	string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags);
+ 	
+ 	if (string)
+-- 
+2.41.0
+
diff --git a/SOURCES/dnsmasq-2.87-log-root-writeable.patch b/SOURCES/dnsmasq-2.87-log-root-writeable.patch
new file mode 100644
index 0000000..6a4a241
--- /dev/null
+++ b/SOURCES/dnsmasq-2.87-log-root-writeable.patch
@@ -0,0 +1,64 @@
+From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 10 Jan 2022 12:34:42 +0100
+Subject: [PATCH] Add root group writeable flag to log file
+
+Some systems strips even root process capability of writing to different
+users file. That include systemd under Fedora. When
+log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
+is created. But restart then fails, because such log file can be used
+only when created new. Existing file cannot be opened by root when
+starting, causing fatal error. Avoid that by adding root group writeable flag.
+
+Ensure group is always root when granting write access. If it is
+anything else, administrator has to configure correct rights.
+
+(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
+---
+ src/log.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/log.c b/src/log.c
+index 1ec3447..bcd6e52 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
+   /* If we're running as root and going to change uid later,
+      change the ownership here so that the file is always owned by
+      the dnsmasq user. Then logrotate can just copy the owner.
+-     Failure of the chown call is OK, (for instance when started as non-root) */
+-  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && 
+-      fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+-    ret = errno;
++     Failure of the chown call is OK, (for instance when started as non-root).
++     
++     If we've created a file with group-id root, we also make
++     the file group-writable. This gives processes in the root group
++     write access to the file and avoids the problem that on some systems,
++     once the file is owned by the dnsmasq user, it can't be written
++     whilst dnsmasq is running as root during startup.
++ */
++  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
++    {
++      struct stat ls;
++      if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
++	  (ls.st_mode & S_IWGRP) == 0)
++	(void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
++      if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
++	ret = errno;
++    }
+ 
+   return ret;
+ }
+@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
+       /* NOTE: umask is set to 022 by the time this gets called */
+       
+       if (log_file)
+-	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);      
++	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
+       else
+ 	{
+ #if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
+-- 
+2.40.1
+
diff --git a/SOURCES/dnsmasq-2.89-edns0-size.patch b/SOURCES/dnsmasq-2.89-edns0-size.patch
new file mode 100644
index 0000000..ff835b2
--- /dev/null
+++ b/SOURCES/dnsmasq-2.89-edns0-size.patch
@@ -0,0 +1,45 @@
+From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 7 Mar 2023 22:07:46 +0000
+Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
+
+http://www.dnsflagday.net/2020/ refers.
+
+Thanks to Xiang Li for the prompt.
+
+(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
+---
+ man/dnsmasq.8 | 3 ++-
+ src/config.h  | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index fce580f..4b0b180 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
+ .TP
+ .B \-P, --edns-packet-max=<size>
+ Specify the largest EDNS.0 UDP packet which is supported by the DNS
+-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
++forwarder. Defaults to 1232, which is the recommended size following the
++DNS flag day in 2020. Only increase if you know what you are doing.
+ .TP
+ .B \-Q, --query-port=<query_port>
+ Send outbound DNS queries from, and listen for their replies on, the
+diff --git a/src/config.h b/src/config.h
+index 8c41943..62b7fa1 100644
+--- a/src/config.h
++++ b/src/config.h
+@@ -19,7 +19,7 @@
+ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
+ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+ #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
+-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
+ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
+ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+-- 
+2.39.2
+
diff --git a/SPECS/dnsmasq.spec b/SPECS/dnsmasq.spec
index 0a98431..3c75ec1 100644
--- a/SPECS/dnsmasq.spec
+++ b/SPECS/dnsmasq.spec
@@ -13,7 +13,7 @@
 
 Name:           dnsmasq
 Version:        2.79
-Release:        26%{?extraversion:.%{extraversion}}%{?dist}.1
+Release:        31%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 License:        GPLv2 or GPLv3
@@ -83,12 +83,19 @@ Patch37:        dnsmasq-2.81-linux-SIOCGSTAMP.patch
 Patch38:        dnsmasq-2.79-server-domain-fixup.patch
 # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=f8c77edbdffb8ada7753ea9fa104f0f6da70cfe3
 Patch39:        dnsmasq-2.81-dhcpv6-relay-link-address.patch
+# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
+Patch40:        dnsmasq-2.89-edns0-size.patch
 # Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
 # Fixes issue in Patch4
 Patch41:        dnsmasq-2.85-serv_domain-rh2186481.patch
 # Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
 # complements patch10
 Patch42:        dnsmasq-2.85-serv_domain-rh2186481-2.patch
+# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
+Patch43:        dnsmasq-2.87-log-root-writeable.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031
+# complements patch42
+Patch44:        dnsmasq-2.85-domain-blocklist-speedup.patch
 
 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -161,8 +168,11 @@ server's leases.
 %patch37 -p1 -b .SIOCGSTAMP
 %patch38 -p1 -b .rh2120357
 %patch39 -p1 -b .rh2169355
+%patch40 -p1 -b .CVE-2023-28450
 %patch41 -p1 -b .rh2186481
 %patch42 -p1 -b .rh2186481-2
+%patch43 -p1 -b .rh2156789
+%patch44 -p1 -b .rh2209031
 
 # use /var/lib/dnsmasq instead of /var/lib/misc
 for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -262,10 +272,21 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man1/dhcp_*
 
 %changelog
-* Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.79-26.1
-- Correct possible crashes when server=/example.net/# is used (#2186481)
+* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.79-31
+- Do not create and search --local and --address=/x/# domains (#2233542)
+
+* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.79-30
+- Make create logfile writeable by root (#2156789)
+
+* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.79-29
 - Fix also dynamically set resolvers over dbus (#2186481)
 
+* Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.79-28
+- Correct possible crashes when server=/example.net/# is used (#2186481)
+
+* Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.79-27
+- Limit offered EDNS0 size to 1232 (CVE-2023-28450)
+
 * Wed Feb 15 2023 Petr Menšík <pemensik@redhat.com> - 2.79-26
 - Avoid DHCPv6 relayed replies with Client Link-Layer Address (#2169355)