diff --git a/Documentation/getting-started-rkt.md b/Documentation/getting-started-rkt.md
index eaa888c6..0c706f15 100644
--- a/Documentation/getting-started-rkt.md
+++ b/Documentation/getting-started-rkt.md
@@ -114,7 +114,7 @@ sudo rkt run --net=metal0:IP=172.18.0.3 \
   --mount volume=config,target=/etc/dnsmasq.conf \
   --volume config,kind=host,source=$PWD/contrib/dnsmasq/metal0.conf \
   quay.io/coreos/dnsmasq:v0.4.0 \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE
+  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SETGID,CAP_SETUID,CAP_NET_RAW
 ```
 
 If you get an error about the IP assignment, stop old pods and run garbage collection.
diff --git a/Documentation/grub.md b/Documentation/grub.md
index 334c293c..4d9ab4f7 100644
--- a/Documentation/grub.md
+++ b/Documentation/grub.md
@@ -26,7 +26,7 @@ Run the `quay.io/coreos/dnsmasq` container image with rkt or docker.
 
 ```sh
 sudo rkt run --net=metal0:IP=172.18.0.3 quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
+  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SETGID,CAP_SETUID,CAP_NET_RAW \
   -- -d -q \
   --dhcp-range=172.18.0.50,172.18.0.99 \
   --enable-tftp \
diff --git a/Documentation/network-setup.md b/Documentation/network-setup.md
index 590a259b..d770b8c0 100644
--- a/Documentation/network-setup.md
+++ b/Documentation/network-setup.md
@@ -154,7 +154,7 @@ Run DHCP, TFTP, and DNS on the host's network:
 
 ```sh
 sudo rkt run --net=host quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
+  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SETGID,CAP_SETUID,CAP_NET_RAW \
   -- -d -q \
   --dhcp-range=192.168.1.3,192.168.1.254 \
   --enable-tftp \
@@ -183,7 +183,7 @@ Run a proxy-DHCP and TFTP service on the host's network:
 
 ```sh
 sudo rkt run --net=host quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
+  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SETGID,CAP_SETUID,CAP_NET_RAW \
   -- -d -q \
   --dhcp-range=192.168.1.1,proxy,255.255.255.0 \
   --enable-tftp --tftp-root=/var/lib/tftpboot \
diff --git a/contrib/dnsmasq/README.md b/contrib/dnsmasq/README.md
index b182aaa0..ceb14413 100644
--- a/contrib/dnsmasq/README.md
+++ b/contrib/dnsmasq/README.md
@@ -9,7 +9,9 @@ The image bundles `undionly.kpxe` which chainloads PXE clients to iPXE and `grub
 Run the container image as a DHCP, DNS, and TFTP service.
 
 ```sh
-sudo rkt run --net=host quay.io/coreos/dnsmasq -- -d -q \
+sudo rkt run --net=host quay.io/coreos/dnsmasq \
+  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SETGID,CAP_SETUID,CAP_NET_RAW \
+  -- -d -q \
   --dhcp-range=192.168.1.3,192.168.1.254 \
   --enable-tftp \
   --tftp-root=/var/lib/tftpboot \