diff --git a/dnscrypt-proxy/dnsutils.go b/dnscrypt-proxy/dnsutils.go
index 480f853f..aaf317bf 100644
--- a/dnscrypt-proxy/dnsutils.go
+++ b/dnscrypt-proxy/dnsutils.go
@@ -40,6 +40,11 @@ func TruncatedResponse(packet []byte) ([]byte, error) {
 
 func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool, ipv4 net.IP, ipv6 net.IP, ttl uint32) *dns.Msg {
 	dstMsg := EmptyResponseFromMessage(srcMsg)
+	ede := new(dns.EDNS0_EDE)
+	if edns0 := dstMsg.IsEdns0(); edns0 != nil {
+		edns0.Option = append(edns0.Option, ede)
+	}
+	ede.InfoCode = dns.ExtendedErrorCodeFiltered
 	if refusedCode {
 		dstMsg.Rcode = dns.RcodeRefused
 	} else {
@@ -58,6 +63,7 @@ func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool, ipv4 net.IP,
 			if rr.A != nil {
 				dstMsg.Answer = []dns.RR{rr}
 				sendHInfoResponse = false
+				ede.InfoCode = dns.ExtendedErrorCodeForgedAnswer
 			}
 		} else if ipv6 != nil && question.Qtype == dns.TypeAAAA {
 			rr := new(dns.AAAA)
@@ -66,6 +72,7 @@ func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool, ipv4 net.IP,
 			if rr.AAAA != nil {
 				dstMsg.Answer = []dns.RR{rr}
 				sendHInfoResponse = false
+				ede.InfoCode = dns.ExtendedErrorCodeForgedAnswer
 			}
 		}
 
@@ -78,8 +85,11 @@ func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool, ipv4 net.IP,
 			hinfo.Cpu = "This query has been locally blocked"
 			hinfo.Os = "by dnscrypt-proxy"
 			dstMsg.Answer = []dns.RR{hinfo}
+		} else {
+			ede.ExtraText = "This query has been locally blocked by dnscrypt-proxy"
 		}
 	}
+
 	return dstMsg
 }