diff --git a/src/anonymized_dns.rs b/src/anonymized_dns.rs
index f0e6c00..bf7cb44 100644
--- a/src/anonymized_dns.rs
+++ b/src/anonymized_dns.rs
@@ -96,9 +96,8 @@ pub async fn handle_anonymized_dns(
         let fut = ext_socket.recv_from(&mut response[..]);
         let (response_len, response_addr) = fut.await?;
         if response_addr == upstream_address
-            && (DNSCRYPT_UDP_RESPONSE_MIN_SIZE..=DNSCRYPT_UDP_RESPONSE_MAX_SIZE)
-                .contains(&response_len)
-            && response[..DNSCRYPT_RESPONSE_MAGIC_SIZE] == DNSCRYPT_RESPONSE_MAGIC
+            && (is_encrypted_response(&response, response_len)
+                || is_certificate_response(&response, response_len))
         {
             response.truncate(response_len);
             break;
@@ -110,3 +109,19 @@ pub async fn handle_anonymized_dns(
 
     respond_to_query(client_ctx, response).await
 }
+
+#[inline]
+fn is_encrypted_response(response: &[u8], response_len: usize) -> bool {
+    (DNSCRYPT_UDP_RESPONSE_MIN_SIZE..=DNSCRYPT_UDP_RESPONSE_MAX_SIZE).contains(&response_len)
+        && response[..DNSCRYPT_RESPONSE_MAGIC_SIZE] == DNSCRYPT_RESPONSE_MAGIC
+}
+
+#[inline]
+fn is_certificate_response(response: &[u8], response_len: usize) -> bool {
+    (DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()
+        ..=DNS_MAX_PACKET_SIZE)
+        .contains(&response_len)
+        && response[DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET
+            ..DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()]
+            == DNSCRYPT_RESPONSE_CERT_PREFIX
+}
diff --git a/src/dnscrypt.rs b/src/dnscrypt.rs
index 0912ab1..03b4480 100644
--- a/src/dnscrypt.rs
+++ b/src/dnscrypt.rs
@@ -23,6 +23,11 @@ pub const DNSCRYPT_QUERY_MIN_OVERHEAD: usize =
 pub const DNSCRYPT_RESPONSE_MAGIC_SIZE: usize = 8;
 pub const DNSCRYPT_RESPONSE_MAGIC: [u8; DNSCRYPT_RESPONSE_MAGIC_SIZE] =
     [0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38];
+pub const DNSCRYPT_RESPONSE_CERT_PREFIX: [u8; 24] = [
+    0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x32, 0x0d, 0x64, 0x6e, 0x73, 0x63, 0x72,
+    0x79, 0x70, 0x74, 0x2d, 0x63, 0x65, 0x72, 0x74,
+];
+pub const DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET: usize = 4;
 pub const DNSCRYPT_RESPONSE_NONCE_SIZE: usize = DNSCRYPT_FULL_NONCE_SIZE;
 pub const DNSCRYPT_RESPONSE_HEADER_SIZE: usize =
     DNSCRYPT_RESPONSE_MAGIC_SIZE + DNSCRYPT_RESPONSE_NONCE_SIZE;