diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile
index c0cb701dbee6..81a358810111 100644
--- a/dns/dnsmasq/Makefile
+++ b/dns/dnsmasq/Makefile
@@ -1,173 +1,173 @@
 PORTNAME=	dnsmasq
-DISTVERSION=	2.91
+DISTVERSION=	2.92
 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps:
-PORTREVISION=	2
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	dns
-MASTER_SITES=	https://www.thekelleys.org.uk/dnsmasq/ \
-		LOCAL/mandree/
+MASTER_SITES=	LOCAL/mandree/ \
+		https://thekelleys.org.uk/dnsmasq/
 
 MAINTAINER=	mandree@FreeBSD.org
 COMMENT=	Lightweight DNS forwarder, DHCP, and TFTP server
 WWW=		https://www.thekelleys.org.uk/dnsmasq/doc.html
 
 LICENSE=	GPLv2
 
 USES=		compiler cpe shebangfix tar:xz
 CPE_VENDOR=	thekelleys
 
 SHEBANG_FILES=	contrib/dnslist/dnslist.pl \
 		contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl
 
 MAKE_ARGS=	CC="${CC}" \
 		CFLAGS="${CFLAGS}" \
 		COPTS="${CFLAGS}" \
 		LIBS="${LDFLAGS}" \
 		PREFIX="${PREFIX}" \
 		RPM_OPT_FLAGS="${CPPFLAGS}"
 CFLAGS+=	-Wall
 # https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
 # Note there are ${ARCH}-dependent options below after .include <bsd.port.pre.mk>
-# Note that these are enforced for now (2025-09-16), and we can't subject them to PIE/FORTIFY/SSP_UNSAFE or WITHOUT_ options for now.
+# Note that these are enforced, and we won't subject them to PIE/FORTIFY/SSP_UNSAFE or WITHOUT_ options.
 CFLAGS+=	-Wall -Wformat -Wformat=2 \
 		-Werror=format-security \
 		-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
 		-fstrict-flex-arrays=3 \
 		-fstack-clash-protection -fstack-protector-strong \
 		-fno-delete-null-pointer-checks -fno-strict-overflow \
 		-fno-strict-aliasing -ftrivial-auto-var-init=zero
 LDFLAGS+=	-Wl,-z,nodlopen -Wl,-z,noexecstack \
 		-Wl,-z,relro -Wl,-z,now \
 		-Wl,--as-needed -Wl,--no-copy-dt-needed-entries
 CFLAGS+=	-fPIE
 LDFLAGS+=	-pie
 # error on obsolete C constructs
 CFLAGS+=	-Werror=implicit -Werror=incompatible-pointer-types \
 		-Werror=int-conversion
 # tune down harmless warnings due to coding style
 CFLAGS+=	-Wno-unused-function -Wno-unused-parameter \
 		-Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral
 CPPFLAGS+=	-I${LOCALBASE}/include
 
 CONFLICTS_INSTALL=	dnsmasq-devel
 
 SUB_FILES=	pkg-message
 
 PORTDOCS=	CHANGELOG CHANGELOG.archive FAQ doc.html setup.html
 
 OPTIONS_DEFINE=		DBUS DNSSEC DOCS IPSET IPV6 LUA
 OPTIONS_DEFAULT=	DNSSEC IPSET
 OPTIONS_RADIO=		INTL
 OPTIONS_RADIO_INTL=	IDN NLS
 OPTIONS_EXCLUDE+=	EXAMPLES
 
 DNSSEC_DESC=	Enable DNSSEC caching and validation (needs nettle)
 IDN_DESC=	IDN: Int'l Domain Names WITHOUT full NLS
 INTL_DESC=	Internationalization Support Level
 IPSET_DESC=	Dynamic firewall management of resolved names (needs PF)
 LUA_DESC=	Support lease-change scripts written in Lua
 NLS_DESC=	IDN+NLS: Int'l Domain Names & National Language support
 
 IPSET_CFLAGS_OFF=	-DNO_IPSET
 IPV6_CFLAGS_OFF=	-DNO_IPV6
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MNLS}
 USES+=		gettext gmake iconv pkgconfig
 CFLAGS+=	-DHAVE_LIBIDN2
 LIB_DEPENDS+=	libidn2.so:dns/libidn2
 PLIST_SUB+=	NLS=""
 ALL_TARGET=	all-i18n
 _intllibs=	-lidn2 -lintl
 .else
 _intllibs=
 PLIST_SUB+=	NLS="@comment "
 .if ${PORT_OPTIONS:MIDN}
 USES+=		iconv
 CFLAGS+=	-DHAVE_LIBIDN2
 LIB_DEPENDS+=	libidn2.so:dns/libidn2
 _intllibs+=	-lidn2
 .endif
 .endif
 
 .if ${PORT_OPTIONS:MDBUS}
 LIB_DEPENDS+=	libdbus-1.so:devel/dbus
 USES+=		pkgconfig
 CPPFLAGS+=	`pkg-config --cflags dbus-1`
 CFLAGS+=	-DHAVE_DBUS
 LDFLAGS+=	`pkg-config --libs dbus-1`
 .endif
 
 .if ${PORT_OPTIONS:MLUA}
 CPPFLAGS+=	-I${LUA_INCDIR}
 CFLAGS+=	-DHAVE_LUASCRIPT
 LDFLAGS+=	-L${LUA_LIBDIR} -llua-${LUA_VER}
 USES+=		lua pkgconfig
 .endif
 
 .if ${PORT_OPTIONS:MDNSSEC}
 CFLAGS+=	-DHAVE_DNSSEC -I${LOCALBASE}/include
 USES+=		pkgconfig
 LIB_DEPENDS+=	libgmp.so:math/gmp \
 		libnettle.so:security/nettle
 .endif
 
 USE_RC_SUBR=	dnsmasq
 
 .include <bsd.port.pre.mk>
 
 # https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
 .if ${ARCH} == "amd64"
 CFLAGS+=	-fcf-protection=full
 .endif
 .if ${ARCH} == "aarch64"
 CFLAGS+=	-mbranch-protection=standard
 .endif
 .if ${CHOSEN_COMPILER_TYPE} == "gcc"
 CFLAGS+=	-Wtrampolines
 .endif
 
 LDFLAGS+=	-L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB}
 
 post-patch:
 	${REINPLACE_CMD} -e '/^LUA /s/lua/lua-${LUA_VER}/' ${WRKSRC}/Makefile
 
 pre-configure: pretty-print-config
 .if ${PORT_OPTIONS:MIDN}
 .if empty(PORT_OPTIONS:MNLS)
 	@if ${READELF} -d ${LOCALBASE}/lib/libidn2.so \
 		| ${EGREP} -q '\<NEEDED\>.*\[libintl\.so' ; \
 	then ${ECHO} ; ${ECHO} 'WARNING: dns/libidn2 was compiled with NLS support!' ; \
 	${ECHO} 'Recompile libidn2 WITHOUT_NLS to get rid of NLS dependencies.' ; ${ECHO} ; \
 	fi
 .else
 	@${ECHO} 'WARNING: IDN and NLS enabled, building IDN WITH NLS.'
 .endif
 .endif
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/src/dnsmasq ${STAGEDIR}${PREFIX}/sbin
 	${INSTALL_DATA} ${WRKSRC}/dnsmasq.conf.example ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample
 	${REINPLACE_CMD} -i '' 's}%%PREFIX%%}${PREFIX}}' ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample
 	${INSTALL_MAN} ${WRKSRC}/man/${PORTNAME}.8 ${STAGEDIR}${PREFIX}/share/man/man8
 	${MKDIR} ${STAGEDIR}${DATADIR}
 	${INSTALL_DATA} ${WRKSRC}/trust-anchors.conf ${STAGEDIR}${DATADIR}/
 .if ${PORT_OPTIONS:MDOCS}
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
 .endif
 .if ${PORT_OPTIONS:MNLS}
 .for i in de es fi fr id it no pl pt_BR ro
 	${MKDIR} ${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES
 	${INSTALL_DATA} ${WRKSRC}/src/${i}.mo \
 		${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES/${PORTNAME}.mo
 .endfor
 .endif
 	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq ${STAGEDIR}${EXAMPLESDIR}/dnslist
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq/
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/dnslist/dnslist.pl ${STAGEDIR}${EXAMPLESDIR}/dnslist/
 	${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dhcp.css ${STAGEDIR}${EXAMPLESDIR}/dnslist/
 	${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dnslist.tt2 ${STAGEDIR}${EXAMPLESDIR}/dnslist/
 
 .include <bsd.port.post.mk>
diff --git a/dns/dnsmasq/distinfo b/dns/dnsmasq/distinfo
index 747553a94907..89c332c415cb 100644
--- a/dns/dnsmasq/distinfo
+++ b/dns/dnsmasq/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1742506571
-SHA256 (dnsmasq-2.91.tar.xz) = f622682848b33677adb2b6ad08264618a2ae0a01da486a93fd8cd91186b3d153
-SIZE (dnsmasq-2.91.tar.xz) = 576820
+TIMESTAMP = 1768429117
+SHA256 (dnsmasq-2.92.tar.xz) = 4bf50c2c1018f9fbc26037df51b90ecea0cb73d46162846763b92df0d6c3a458
+SIZE (dnsmasq-2.92.tar.xz) = 637752
diff --git a/dns/dnsmasq/files/patch-src_util.c b/dns/dnsmasq/files/patch-src_util.c
deleted file mode 100644
index a50483debfeb..000000000000
--- a/dns/dnsmasq/files/patch-src_util.c
+++ /dev/null
@@ -1,73 +0,0 @@
-commit 15841f187d2b208a6113d4e2d479d3af4275bb1c
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Sun Jun 22 23:04:36 2025 +0100
-
-    Fix issue with fast file-descriptor close on *BSD.
-    
-    This fixes a problem introduced in 8a5fe8ce6bb6c2bd81f237a0f4a2583722ffbd1c
-    
-    On BSD, fdescfs is normally mounted at /dev/fd. However
-    if it is NOT mounted, devfs creates a directory at /dev/fd
-    which contains (only) the file descriptors 0,1 and 2.
-    
-    Under these conditions, opendir() will succeed, and
-    if we proceed we will fail to close extant
-    file descriptors which should be closed.
-    
-    Check that there is a filesystem mounted at /dev/fd
-    by checking that the device changes between /dev/fd
-    and /dev. If if doesn't, fall back to the dumb path.
-    
-    Thanks to Roman Bogorodskiy for spotting the problem
-    and helping with diagnosis.
-
---- src/util.c.orig	2025-03-14 15:09:35 UTC
-+++ src/util.c
-@@ -34,6 +34,10 @@
- #include <sys/utsname.h>
- #endif
- 
-+#ifdef HAVE_BSD_NETWORK
-+#include <libgen.h>
-+#endif
-+
- /* SURF random number generator */
- 
- static u32 seed[32];
-@@ -831,9 +835,34 @@ void close_fds(long max_fd, int spare1, int spare2, in
- #endif
- 
- #ifdef FDESCFS
--  DIR *d;
-+  DIR *d = NULL;
-   
--  if ((d = opendir(FDESCFS)))
-+#  ifdef HAVE_BSD_NETWORK
-+  dev_t dirdev = 0;
-+  char fdescfs[] = FDESCFS; /* string must be writable */
-+  struct stat statbuf;
-+
-+  /* On BSD, fdescfs is normally mounted at /dev/fd. However
-+     if it is NOT mounted, devfs creates a directory at /dev/fd
-+     which contains (only) the file descriptors 0,1 and 2.
-+
-+     Under these conditions, opendir() will succeed, and
-+     if we proceed we will fail to close extant
-+     file descriptors which should be closed.
-+     
-+     Check that there is a filesystem mounted at /dev/fd
-+     by checking that the device changes between /dev/fd
-+     and /dev. If if doesn't, fall back to the dumb path. */
-+  
-+  if (stat(fdescfs, &statbuf) != -1)
-+    dirdev = statbuf.st_dev;
-+
-+  if (stat(dirname(fdescfs), &statbuf) != -1 &&
-+      dirdev != statbuf.st_dev)
-+#  endif
-+    d = opendir(FDESCFS);
-+      
-+  if (d)
-     {
-       struct dirent *de;
- 
diff --git a/dns/dnsmasq/files/pkg-message.in b/dns/dnsmasq/files/pkg-message.in
index 3585d591a921..e46d4b2642c3 100644
--- a/dns/dnsmasq/files/pkg-message.in
+++ b/dns/dnsmasq/files/pkg-message.in
@@ -1,24 +1,24 @@
 [
 {
-message: <<EOM
+type: [install, upgrade], message: <<EOM
 To enable dnsmasq, edit %%PREFIX%%/etc/dnsmasq.conf and
 set dnsmasq_enable="YES" in /etc/rc.conf[.local]
 
 Further options and actions are documented inside
 %%PREFIX%%/etc/rc.d/dnsmasq
 
 
 NOTE: when using dnssec, inaccurate system clocks
 can cause DNS resolution to fail
 because DNSSEC signatures may then not validate.
 
 
 SECURITY RECOMMENDATION
 ~~~~~~~~~~~~~~~~~~~~~~~
 It is recommended to enable the wpad-related options
 at the end of the configuration file (you may need to
 copy them from the example file to yours) to fix
 CERT Vulnerability VU#598349.
 EOM
 }
 ]
diff --git a/dns/dnsmasq/files/simon-kelley-keyring.asc b/dns/dnsmasq/files/simon-kelley-keyring.asc
new file mode 100644
index 000000000000..50e3ccf33ef1
Binary files /dev/null and b/dns/dnsmasq/files/simon-kelley-keyring.asc differ
diff --git a/dns/dnsmasq/files/update.py b/dns/dnsmasq/files/update.py
new file mode 100755
index 000000000000..117c0e9c95a4
--- /dev/null
+++ b/dns/dnsmasq/files/update.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+"""update.py for dnsmasq-devel - (C) 2025 Matthias Andree, placed under MIT license
+To use, edit Makefile with the new version,
+then run files/update.py, which will download, check sigs, if GnuPG checks out, update makesum,
+upload tarball and sig to my public_distfiles/ because upstream has low bandwidth, and test build.
+
+If things work out, commit manually and push."""
+
+import os
+import shutil
+import subprocess
+import sys
+
+def trace(func):
+    def wrapper(*args, **kwargs):
+        print(f"\n> {func.__name__}({args}, {kwargs})", file=sys.stderr)
+        retval = func(*args, **kwargs)
+        print(f"< {func.__name__} -> {retval!r}", file=sys.stderr)
+        return retval
+    return wrapper
+
+traced_run = trace(subprocess.run)
+
+cleanenv={'LC_ALL': 'C.UTF-8',
+          'PATH': os.environ["PATH"]}
+defargs={"check": "True", "env": cleanenv, "encoding": 'UTF-8'}
+
+try:
+    distdir, master_site, files_dir, dist_dir = map(str.strip, traced_run(['make', '-V', 'DISTDIR',
+                                                                           '-V', 'MASTER_SITES:N*FreeBSD*',
+                                                                           '-V', 'FILESDIR',
+                                                                           '-V', 'DISTDIR'],
+                                                                          capture_output=True, **defargs).stdout.splitlines())
+    filename_tarball = traced_run('make -V DISTFILES'.split(), capture_output=True, **defargs).stdout.splitlines()[0].strip()
+    filename_signature = filename_tarball + '.asc'
+    uri_tarball = master_site + filename_tarball
+    uri_signature = master_site + filename_signature
+    traced_run(['fetch', uri_tarball, uri_signature], **defargs)
+    traced_run(['gpg', '--no-options', '--with-colons', '--status-fd', '1',
+                                        '--no-default-keyring', '--keyring', files_dir + '/simon-kelley-keyring.asc',
+                                        '--verify', filename_signature, filename_tarball], **defargs)
+    traced_run(['rsync', '-avHPW', '--chmod=0644', filename_tarball, filename_signature, 'freefall.freebsd.org:public_distfiles/'], **defargs)
+    shutil.move(filename_tarball, dist_dir + '/' + filename_tarball)
+    traced_run(['make', 'makesum', 'clean'], **defargs)
+    os.remove(filename_signature)
+    traced_run(['make', 'check-plist', 'package'], **defargs)
+    print("\nSUCCESS\n")
+except Exception as cpe:
+    print("\nERROR\n")
+    print(repr(cpe))
+    print("\nERROR\n")
+    sys.exit(1)