diff --git a/Cargo.toml b/Cargo.toml
index 6c357f9..b92d827 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "encrypted-dns"
-version = "0.3.0"
+version = "0.3.1"
 authors = ["Frank Denis <github@pureftpd.org>"]
 edition = "2018"
 description = "A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)"
diff --git a/README.md b/README.md
index c82d490..2fe063a 100644
--- a/README.md
+++ b/README.md
@@ -6,11 +6,11 @@ An easy to install, high-performance, zero maintenance proxy to run an encrypted
 
 ## Protocols
 
-The proxy aims at supporting the following protocols:
+The proxy supports the following protocols:
 
 - [DNSCrypt v2](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt)
 - [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt)
-- DNS-over-HTTP (DoH)
+- DNS-over-HTTP (DoH) forwarding
 
 All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
 
diff --git a/src/anonymized_dns.rs b/src/anonymized_dns.rs
index c0b5a57..6d56840 100644
--- a/src/anonymized_dns.rs
+++ b/src/anonymized_dns.rs
@@ -65,6 +65,12 @@ pub async fn handle_anonymized_dns(
         encrypted_packet_len > 8 && [0u8, 0, 0, 0, 0, 0, 0, 1] != encrypted_packet[..8],
         "Protocol confusion with QUIC"
     );
+    debug_assert!(DNSCRYPT_UDP_QUERY_MIN_SIZE > ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len());
+    ensure!(
+        encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()]
+            != ANONYMIZED_DNSCRYPT_QUERY_MAGIC,
+        "Loop detected"
+    );
     let mut ext_socket = UdpSocket::bind(&globals.external_addr).await?;
     ext_socket.connect(&upstream_address).await?;
     ext_socket.send(&encrypted_packet).await?;