diff --git a/patches/drop-setuid-from-dnsmasq.patch b/patches/drop-setuid-from-dnsmasq.patch
new file mode 100644
index 0000000..ae576ee
--- /dev/null
+++ b/patches/drop-setuid-from-dnsmasq.patch
@@ -0,0 +1,113 @@
+Description: Drop code where dnsmasq drops privileges from root.
+  This code isn't required because in strict mode we run worker
+  processes as root:root and setuid is not allowed by the current
+  plugs.
+Author: Corey Bryant <corey.bryant@canonical.com>
+Forwarded: no
+
+---
+ src/dnsmasq.c | 88 -----------------------------------------------------------
+ 1 file changed, 88 deletions(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 045ec53..4fe5531 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -578,94 +578,6 @@ int main (int argc, char **argv)
+       daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
+ #endif
+ 
+-  if (!option_bool(OPT_DEBUG) && getuid() == 0)   
+-    {
+-      int bad_capabilities = 0;
+-      gid_t dummy;
+-      
+-      /* remove all supplimentary groups */
+-      if (gp && 
+-	  (setgroups(0, &dummy) == -1 ||
+-	   setgid(gp->gr_gid) == -1))
+-	{
+-	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname);
+-	  _exit(0);
+-	}
+-  
+-      if (ent_pw && ent_pw->pw_uid != 0)
+-	{     
+-#if defined(HAVE_LINUX_NETWORK)	  
+-	  /* On linux, we keep CAP_NETADMIN (for ARP-injection) and
+-	     CAP_NET_RAW (for icmp) if we're doing dhcp. If we have yet to bind 
+-	     ports because of DAD, or we're doing it dynamically,
+-	     we need CAP_NET_BIND_SERVICE too. */
+-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
+-	    data->effective = data->permitted = data->inheritable =
+-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | 
+-	      (1 << CAP_SETUID) | (1 << CAP_NET_BIND_SERVICE);
+-	  else
+-	    data->effective = data->permitted = data->inheritable =
+-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID);
+-	  
+-	  /* Tell kernel to not clear capabilities when dropping root */
+-	  if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1)
+-	    bad_capabilities = errno;
+-			  
+-#elif defined(HAVE_SOLARIS_NETWORK)
+-	  /* http://developers.sun.com/solaris/articles/program_privileges.html */
+-	  priv_set_t *priv_set;
+-	  
+-	  if (!(priv_set = priv_str_to_set("basic", ",", NULL)) ||
+-	      priv_addset(priv_set, PRIV_NET_ICMPACCESS) == -1 ||
+-	      priv_addset(priv_set, PRIV_SYS_NET_CONFIG) == -1)
+-	    bad_capabilities = errno;
+-
+-	  if (priv_set && bad_capabilities == 0)
+-	    {
+-	      priv_inverse(priv_set);
+-	  
+-	      if (setppriv(PRIV_OFF, PRIV_LIMIT, priv_set) == -1)
+-		bad_capabilities = errno;
+-	    }
+-
+-	  if (priv_set)
+-	    priv_freeset(priv_set);
+-
+-#endif    
+-
+-	  if (bad_capabilities != 0)
+-	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities, NULL);
+-	      _exit(0);
+-	    }
+-	  
+-	  /* finally drop root */
+-	  if (setuid(ent_pw->pw_uid) == -1)
+-	    {
+-	      send_event(err_pipe[1], EVENT_USER_ERR, errno, daemon->username);
+-	      _exit(0);
+-	    }     
+-
+-#ifdef HAVE_LINUX_NETWORK
+-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
+-	   data->effective = data->permitted =
+-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_NET_BIND_SERVICE);
+-	 else
+-	   data->effective = data->permitted = 
+-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
+-	  data->inheritable = 0;
+-	  
+-	  /* lose the setuid and setgid capbilities */
+-	  if (capset(hdr, data) == -1)
+-	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, errno, NULL);
+-	      _exit(0);
+-	    }
+-#endif
+-	  
+-	}
+-    }
+-  
+ #ifdef HAVE_LINUX_NETWORK
+   free(hdr);
+   free(data);
+-- 
+2.11.0
+
diff --git a/snapcraft.yaml b/snapcraft.yaml
index cff71c5..85e92ca 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -101,6 +101,13 @@ parts:
   bridge-utils:
     source: https://www.kernel.org/pub/linux/utils/net/bridge-utils/bridge-utils-1.6.tar.gz
     plugin: autotools
+  conntrack-tools:
+    source: http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.3.tar.bz2
+    plugin: autotools
+    build-packages:
+      - libnetfilter-cttimeout-dev
+      - libnetfilter-cthelper0-dev
+      - libnetfilter-queue-dev
   iproute2:
     source: https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.9.0.tar.gz
     plugin: autotools
@@ -143,6 +150,36 @@ parts:
         - bin/dnsmasq
     stage: [$bin]
     prime: [$bin]
+    prepare: |
+      export SNAP_ROOT="../../../"
+      export SNAP_SOURCE="$SNAP_ROOT/parts/dnsmasq/build"
+      patch -d $SNAP_SOURCE -p1 < $SNAP_ROOT/patches/drop-setuid-from-dnsmasq.patch
+  dnsmasq-lease:
+    source: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.76.tar.xz
+    plugin: make
+    make-parameters:
+      - "-C"
+      - "contrib/lease-tools"
+    build-packages:
+      - libgmp-dev
+      - libidn11-dev
+      - libnetfilter-conntrack-dev
+      - nettle-dev
+    artifacts:
+      - contrib/lease-tools/dhcp_release
+      - contrib/lease-tools/dhcp_release6
+      - contrib/lease-tools/dhcp_lease_time
+    organize:
+      contrib/lease-tools/dhcp_release: bin/dhcp_release
+      contrib/lease-tools/dhcp_release6: bin/dhcp_release6
+      contrib/lease-tools/dhcp_lease_time: bin/dhcp_lease_time
+    filesets:
+      bin:
+        - bin/dhcp_release
+        - bin/dhcp_release6
+        - bin/dhcp_lease_time
+    stage: [$bin]
+    prime: [$bin]
   openvswitch:
     source: http://openvswitch.org/releases/openvswitch-2.6.1.tar.gz
     plugin: autotools