diff --git a/dnscrypt-proxy/common.go b/dnscrypt-proxy/common.go
index 93f95575..8dadfc84 100644
--- a/dnscrypt-proxy/common.go
+++ b/dnscrypt-proxy/common.go
@@ -59,6 +59,9 @@ func ReadPrefixed(conn *net.TCPConn) ([]byte, error) {
 			if packetLength > MaxDNSPacketSize-1 {
 				return buf, errors.New("Packet too large")
 			}
+			if packetLength < MinDNSPacketSize {
+				return buf, errors.New("Packet too short")
+			}
 		}
 		if pos >= 2+packetLength {
 			return buf[2:pos], nil
diff --git a/dnscrypt-proxy/dnsutils.go b/dnscrypt-proxy/dnsutils.go
index 0fc217d1..a0d07c24 100644
--- a/dnscrypt-proxy/dnsutils.go
+++ b/dnscrypt-proxy/dnsutils.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/binary"
 	"strings"
 	"time"
 
@@ -43,6 +44,14 @@ func HasTCFlag(packet []byte) bool {
 	return packet[2]&2 == 2
 }
 
+func TransactionID(packet []byte) uint16 {
+	return binary.BigEndian.Uint16(packet[0:2])
+}
+
+func SetTransactionID(packet []byte, tid uint16) {
+	binary.BigEndian.PutUint16(packet[0:2], tid)
+}
+
 func NormalizeName(name *[]byte) {
 	for i, c := range *name {
 		if c >= 65 && c <= 90 {
diff --git a/dnscrypt-proxy/proxy.go b/dnscrypt-proxy/proxy.go
index 8e869665..b8e14bf3 100644
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@@ -279,7 +279,10 @@ func (proxy *Proxy) processIncomingQuery(serverInfo *ServerInfo, clientProto str
 				return
 			}
 		} else if serverInfo.Proto == StampProtoTypeDoH {
+			tid := TransactionID(query)
+			SetTransactionID(query, 0)
 			resp, _, err := proxy.xTransport.Post(serverInfo.URL, "application/dns-udpwireformat", "application/dns-udpwireformat", query, proxy.timeout)
+			SetTransactionID(query, tid)
 			if err != nil {
 				return
 			}
@@ -287,6 +290,9 @@ func (proxy *Proxy) processIncomingQuery(serverInfo *ServerInfo, clientProto str
 			if err != nil {
 				return
 			}
+			if len(response) >= MinDNSPacketSize {
+				SetTransactionID(response, tid)
+			}
 		} else {
 			dlog.Fatal("Unsupported protocol")
 		}