diff --git a/src/dns.c b/src/dns.c
index 00f7b10ca..c3905f9ca 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -1037,6 +1037,7 @@ int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, struct
 	reader = resp;
 	len = 0;
 	previous_dname = NULL;
+	dns_query = NULL;
 
 	/* initialization of response buffer and structure */
 	dns_p = &resolution->response;
@@ -1061,9 +1062,6 @@ int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, struct
 
 	flags = reader[0] * 256 + reader[1];
 
-	if (flags & DNS_FLAG_TRUNCATED)
-		return DNS_RESP_TRUNCATED;
-
 	if ((flags & DNS_FLAG_REPLYCODE) != DNS_RCODE_NO_ERROR) {
 		if ((flags & DNS_FLAG_REPLYCODE) == DNS_RCODE_NX_DOMAIN)
 			return DNS_RESP_NX_DOMAIN;
@@ -1148,6 +1146,12 @@ int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, struct
 		reader += 2;
 	}
 
+	/* TRUNCATED flag must be checked after we could read the query type
+	 * because a TRUNCATED SRV query type response can still be exploited
+	 */
+	if (dns_query->type != DNS_RTYPE_SRV && flags & DNS_FLAG_TRUNCATED)
+		return DNS_RESP_TRUNCATED;
+
 	/* now parsing response records */
 	nb_saved_records = 0;
 	for (i = 0; i < dns_p->header.ancount; i++) {