--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -21,8 +21,8 @@
 #bogus-priv
 
 # Uncomment these to enable DNSSEC validation and caching:
-# (Requires dnsmasq to be built with DNSSEC option.)
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+# (Requires dnsmasq-dnssec package to be installed)
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
 #dnssec
 
 # Replies which are not DNSSEC signed may be legitimate, because the domain
@@ -96,9 +96,13 @@
 
 # If you want dnsmasq to change uid and gid to something other
 # than the default, edit the following lines.
-#user=
-#group=
+#user=dnsmasq
+#group=dnsmasq
 
+# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it.
+local-service
+
 # If you want dnsmasq to listen for DHCP and DNS requests only on
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
@@ -671,7 +675,7 @@
 #conf-dir=/etc/dnsmasq.d,.bak
 
 # Include all files in a directory which end in .conf
-#conf-dir=/etc/dnsmasq.d/,*.conf
+conf-dir=/etc/dnsmasq.d/,*.conf
 
 # If a DHCP client claims that its name is "wpad", ignore that.
 # This fixes a security hole. see CERT Vulnerability VU#598349