Don't be too restrictive, we still need to serve certificates

src/main.rs

@@ -167,12 +167,11 @@ async fn handle_client_query(
     encrypted_packet: Vec<u8>,
 ) -> Result<(), Error> {
     let original_packet_size = encrypted_packet.len();
-    ensure!(
-        original_packet_size >= DNSCRYPT_QUERY_MIN_OVERHEAD + DNS_HEADER_SIZE,
-        "Short packet"
-    );
+    ensure!(original_packet_size >= DNS_HEADER_SIZE, "Short packet");
     debug_assert!(DNSCRYPT_QUERY_MIN_OVERHEAD > ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len());
     if globals.anonymized_dns_enabled
+        && original_packet_size
+            >= ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len() + DNSCRYPT_QUERY_MIN_OVERHEAD + DNS_HEADER_SIZE
         && encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()]
             == ANONYMIZED_DNSCRYPT_QUERY_MAGIC
     {