diff --git a/src/anonymized_dns.rs b/src/anonymized_dns.rs
index 1460f12..f3c1a27 100644
--- a/src/anonymized_dns.rs
+++ b/src/anonymized_dns.rs
@@ -63,7 +63,7 @@ pub async fn handle_anonymized_dns(
     let encrypted_packet = &relayed_packet[ANONYMIZED_DNSCRYPT_OVERHEAD..];
     let encrypted_packet_len = encrypted_packet.len();
     ensure!(
-        encrypted_packet_len >= DNSCRYPT_UDP_QUERY_MIN_SIZE
+        encrypted_packet_len >= ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len() + DNS_HEADER_SIZE
             && encrypted_packet_len <= DNSCRYPT_UDP_QUERY_MAX_SIZE,
         "Unexpected encapsulated query length"
     );
@@ -106,7 +106,7 @@ pub async fn handle_anonymized_dns(
         if is_encrypted_response(&response, response_len) {
             break (response_len, false);
         }
-        if is_certificate_response(&response, response_len, &encrypted_packet) {
+        if is_certificate_response(&response, &encrypted_packet) {
             break (response_len, true);
         }
     };
@@ -154,9 +154,10 @@ fn is_encrypted_response(response: &[u8], response_len: usize) -> bool {
         && response[..DNSCRYPT_RESPONSE_MAGIC_SIZE] == DNSCRYPT_RESPONSE_MAGIC
 }
 
-fn is_certificate_response(response: &[u8], response_len: usize, query: &[u8]) -> bool {
-    if !(response_len <= query.len()
-        && (DNS_HEADER_SIZE..=DNS_MAX_PACKET_SIZE).contains(&response_len)
+fn is_certificate_response(response: &[u8], query: &[u8]) -> bool {
+    let prefix = b"2.dnscrypt-cert.";
+    if !((DNS_HEADER_SIZE + prefix.len() + 4..=DNS_MAX_PACKET_SIZE).contains(&query.len())
+        && (DNS_HEADER_SIZE + prefix.len() + 4..=DNS_MAX_PACKET_SIZE).contains(&response.len())
         && dns::tid(response) == dns::tid(query)
         && dns::is_response(response)
         && !dns::is_response(query))
@@ -171,7 +172,6 @@ fn is_certificate_response(response: &[u8], response_len: usize, query: &[u8]) -
             return false;
         }
     };
-    let prefix = b"2.dnscrypt-cert.";
     if qname.len() <= prefix.len() || &qname[..prefix.len()] != prefix {
         debug!("Relayed cert qname response didn't start with the standard prefix");
         return false;
diff --git a/src/main.rs b/src/main.rs
index 02faa91..e4a2c88 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -170,8 +170,7 @@ async fn handle_client_query(
     ensure!(original_packet_size >= DNS_HEADER_SIZE, "Short packet");
     debug_assert!(DNSCRYPT_QUERY_MIN_OVERHEAD > ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len());
     if globals.anonymized_dns_enabled
-        && original_packet_size
-            >= ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len() + DNSCRYPT_QUERY_MIN_OVERHEAD + DNS_HEADER_SIZE
+        && original_packet_size >= ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len() + DNS_HEADER_SIZE
         && encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()]
             == ANONYMIZED_DNSCRYPT_QUERY_MAGIC
     {