diff --git a/internal/pxe/dnsmasq.go b/internal/pxe/dnsmasq.go
index d0f396f..7e201a7 100644
--- a/internal/pxe/dnsmasq.go
+++ b/internal/pxe/dnsmasq.go
@@ -276,6 +276,12 @@ dhcp-host={{ .MAC }},set:known
 # DHCP range (broader subnet coverage is fine; allowlist above gates replies).
 dhcp-range={{ .Cfg.DHCPRange }}
 
+# Keep runtime state inside RuntimeDir so the systemd sandbox
+# (ReadWritePaths=/var/lib/vetting ...) doesn't block writes to the
+# distro defaults (/var/lib/misc/dnsmasq.leases, /run/dnsmasq.pid).
+dhcp-leasefile={{ .Cfg.RuntimeDir }}/dhcp.leases
+pid-file={{ .Cfg.RuntimeDir }}/dnsmasq.pid
+
 # TFTP + HTTP boot (iPXE chainload).
 enable-tftp
 tftp-root={{ .Cfg.TFTPRoot }}