diff --git a/routlin/mod_dnsmasq.py b/routlin/mod_dnsmasq.py
index 80bf677..b581565 100644
--- a/routlin/mod_dnsmasq.py
+++ b/routlin/mod_dnsmasq.py
@@ -31,8 +31,9 @@ _log = logging.getLogger("blocklists")
 # ===================================================================
 
 def vlan_hosts_file(vlan):
-    """Stable per-VLAN hosts file path (always the same regardless of blocklist combo)."""
-    return BLOCKLIST_DIR / f"for-{vlan['name']}.hosts"
+    """Stable per-VLAN hosts file in the system dnsmasq config dir (world-readable,
+    accessible after dnsmasq drops privileges from root to the dnsmasq user)."""
+    return shared.DNSMASQ_CONF_DIR / f"for-{vlan['name']}.hosts"
 
 
 def blocklists_available(data):
@@ -275,8 +276,6 @@ def update_blocklist_hosts(data):
 
         hosts_file = vlan_hosts_file(vlan)
         if not bl_names:
-            if not hosts_file.exists():
-                hosts_file.write_text("")
             continue
 
         if not changed.intersection(bl_names) and hosts_file.exists():
@@ -287,9 +286,10 @@ def update_blocklist_hosts(data):
         hosts_file.write_text(_build_merged_hosts(domains, bl_names))
         _log.info(f"VLAN '{vlan_name}': wrote {len(domains):,} domains from [{', '.join(sorted(bl_names))}]")
 
-    for f in BLOCKLIST_DIR.glob("for-*.hosts"):
+    for f in shared.DNSMASQ_CONF_DIR.glob("for-*.hosts"):
         vlan_name = f.stem.removeprefix("for-")
-        if vlan_name not in active_vlan_names:
+        vlan = next((v for v in data.get("vlans", []) if v["name"] == vlan_name), None)
+        if vlan is None or not vlan.get("use_blocklists"):
             f.unlink()
             _log.info(f"Removed stale hosts file: {f.name}")
 
@@ -371,7 +371,8 @@ def build_vlan_dnsmasq_conf(vlan, data, iface):
     opts      = shared.resolve_vlan_options(vlan)
     gateway   = opts["gateway"]
 
-    hosts_file = vlan_hosts_file(vlan)
+    bl_names   = vlan.get("use_blocklists", [])
+    hosts_file = vlan_hosts_file(vlan) if bl_names else None
 
     L = [
         "# Generated by core.py -- do not edit manually.",
@@ -487,12 +488,14 @@ def build_vlan_dnsmasq_conf(vlan, data, iface):
         for o in overrides:
             L += [f"# {o['description']}", f"address=/{o['host']}/{o['ip']}", ""]
 
-    if hosts_file.exists():
+    if hosts_file and hosts_file.exists():
         L += [
             "# -- Blocklist ------------------------------------------------------",
             f"addn-hosts={hosts_file}",
             "",
         ]
+    elif bl_names:
+        L += ["# Blocklist not yet merged -- run: sudo python3 core.py --merge-blocklists", ""]
 
     return "\n".join(L)