1 files changed, 14 insertions, 5 deletions

diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c
index af147614a..a5bbd0c0e 100644
--- a/src/lib/protocols/dnscrypt.c
+++ b/src/lib/protocols/dnscrypt.c
@@ -38,22 +38,31 @@ void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search dnscrypt\n");
 
-  if (flow->packet_counter > 3)
-  {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  }
-
   /* dnscrypt protocol version 1: check magic */
   if (packet->payload_packet_len >= 64 &&
       strncmp((char*)packet->payload, "r6fnvWj8", strlen("r6fnvWj8")) == 0)
   {
     ndpi_int_dnscrypt_add_connection(ndpi_struct, flow);
+    return;
   }
   /* dnscrypt protocol version 1 and 2: resolver ping */
   if (packet->payload_packet_len > 13 + strlen(dnscrypt_initial) &&
       strncasecmp((char*)packet->payload + 13, dnscrypt_initial, strlen(dnscrypt_initial)) == 0)
   {
     ndpi_int_dnscrypt_add_connection(ndpi_struct, flow);
+    return;
+  }
+
+  if ((flow->packet_direction_counter[packet->packet_direction] >= 1 &&
+       flow->packet_direction_counter[1 - packet->packet_direction] >= 1) ||
+      flow->packet_counter >= 10)
+  {
+    /*
+     * Wait for at least one packet per direction, but not more then 10 packets.
+     * Required as we need to wait for the server response which contains the ASCII pattern below.
+     */
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
   }
 }