diff --git a/example-encrypted-dns.toml b/example-encrypted-dns.toml
index 1bdfcb4..042723b 100644
--- a/example-encrypted-dns.toml
+++ b/example-encrypted-dns.toml
@@ -180,3 +180,13 @@ key_cache_capacity = 10000
 # type = "prometheus"
 # listen_addr = "0.0.0.0:9100"
 # path = "/metrics"
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+enabled = false
diff --git a/src/config.rs b/src/config.rs
index 5b35cbc..11f849a 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -9,6 +9,11 @@ use std::net::{IpAddr, SocketAddr};
 use std::path::{Path, PathBuf};
 use tokio::prelude::*;
 
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct AnonymizedDNSConfig {
+    pub enabled: bool,
+}
+
 #[cfg(feature = "metrics")]
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct MetricsConfig {
@@ -67,6 +72,7 @@ pub struct Config {
     pub log_file: Option<PathBuf>,
     #[cfg(feature = "metrics")]
     pub metrics: Option<MetricsConfig>,
+    pub anonymized_dns: Option<AnonymizedDNSConfig>,
 }
 
 impl Config {
diff --git a/src/globals.rs b/src/globals.rs
index 1f056b7..1a99b70 100644
--- a/src/globals.rs
+++ b/src/globals.rs
@@ -43,4 +43,5 @@ pub struct Globals {
     #[cfg(feature = "metrics")]
     #[derivative(Debug = "ignore")]
     pub varz: Varz,
+    pub anonymized_dns_enabled: bool,
 }
diff --git a/src/main.rs b/src/main.rs
index 4485509..7a0cfa5 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -172,7 +172,9 @@ async fn handle_client_query(
         "Short packet"
     );
     debug_assert!(DNSCRYPT_QUERY_MIN_OVERHEAD > ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len());
-    if encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()] == ANONYMIZED_DNSCRYPT_QUERY_MAGIC
+    if globals.anonymized_dns_enabled
+        && encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()]
+            == ANONYMIZED_DNSCRYPT_QUERY_MAGIC
     {
         return handle_anonymized_dns(
             globals,
@@ -582,6 +584,10 @@ fn main() -> Result<(), Error> {
                 .map_err(|e| format_err!("Unable to load the blacklist [{:?}]: [{}]", path, e))?,
         ),
     };
+    let anonymized_dns_enabled = match config.anonymized_dns {
+        None => false,
+        Some(anonymized_dns) => anonymized_dns.enabled,
+    };
     let globals = Arc::new(Globals {
         runtime: runtime.clone(),
         state_file: state_file.to_path_buf(),
@@ -612,6 +618,7 @@ fn main() -> Result<(), Error> {
         blacklist,
         #[cfg(feature = "metrics")]
         varz: Varz::default(),
+        anonymized_dns_enabled,
     });
     let updater = DNSCryptEncryptionParamsUpdater::new(globals.clone());
     if !state_is_new {