diff --git a/daemon/lua/kres-gen.lua b/daemon/lua/kres-gen.lua
index 1d867682..b0a0e9d8 100644
--- a/daemon/lua/kres-gen.lua
+++ b/daemon/lua/kres-gen.lua
@@ -124,6 +124,7 @@ struct kr_qflags {
 	_Bool DNS64_MARK : 1;
 	_Bool CACHE_TRIED : 1;
 	_Bool NO_NS_FOUND : 1;
+	_Bool PKT_IS_SANE : 1;
 };
 typedef struct {
 	knot_rrset_t **at;
diff --git a/lib/cache/api.c b/lib/cache/api.c
index 4142aa2b..dfcfb116 100644
--- a/lib/cache/api.c
+++ b/lib/cache/api.c
@@ -414,7 +414,7 @@ int cache_stash(kr_layer_t *ctx, knot_pkt_t *pkt)
 	/* LATER(optim.): typically we also have corresponding NS record in the list,
 	 * so we might save a cache operation. */
 
-	if (check_dname_for_lf(knot_pkt_qname(pkt), qry)) {
+	if (qry->flags.PKT_IS_SANE && check_dname_for_lf(knot_pkt_qname(pkt), qry)) {
 		stash_pkt(pkt, qry, req, needs_pkt);
 	}
 
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index ac3b218b..069b34f0 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -82,6 +82,8 @@ static bool is_paired_to_query(const knot_pkt_t *answer, struct kr_query *query)
 	uint16_t qtype = query->stype;
 	const knot_dname_t *qname = minimized_qname(query, &qtype);
 
+	/* ID should already match, thanks to session_tasklist_del_msgid()
+	 * in worker_submit(), but it won't hurt to check again. */
 	return query->id      == knot_wire_get_id(answer->wire) &&
 	       knot_wire_get_qdcount(answer->wire) == 1 &&
 	       query->sclass  == knot_pkt_qclass(answer) &&
@@ -1017,6 +1019,7 @@ static int resolve(kr_layer_t *ctx, knot_pkt_t *pkt)
 	if (!query) {
 		return ctx->state;
 	}
+	query->flags.PKT_IS_SANE = false;
 
 	WITH_VERBOSE(query) {
 		if (query->flags.TRACE) {
@@ -1060,6 +1063,10 @@ static int resolve(kr_layer_t *ctx, knot_pkt_t *pkt)
 		return KR_STATE_CONSUME;
 	}
 
+	/* If exiting above here, there's no sense to put it into packet cache.
+	 * The most important part is to check for spoofing: is_paired_to_query() */
+	query->flags.PKT_IS_SANE = true;
+
 #ifndef NOVERBOSELOG
 	const knot_lookup_t *rcode = knot_lookup_by_id(knot_rcode_names, knot_wire_get_rcode(pkt->wire));
 #endif
diff --git a/lib/rplan.h b/lib/rplan.h
index 6e93afc7..15ca5633 100644
--- a/lib/rplan.h
+++ b/lib/rplan.h
@@ -64,6 +64,8 @@ struct kr_qflags {
 	bool DNS64_MARK : 1;     /**< Internal mark for dns64 module. */
 	bool CACHE_TRIED : 1;    /**< Internal to cache module. */
 	bool NO_NS_FOUND : 1;    /**< No valid NS found during last PRODUCE stage. */
+	bool PKT_IS_SANE : 1;    /**< Set by iterator in consume phase to indicate whether
+				  * some basic aspects of the packet are OK, e.g. QNAME. */
 };
 
 /** Combine flags together.  This means set union for simple flags. */