diff --git a/src/lib/ares_dns_parse.c b/src/lib/ares_dns_parse.c
index da26ffdc..4e3fd40c 100644
--- a/src/lib/ares_dns_parse.c
+++ b/src/lib/ares_dns_parse.c
@@ -1128,6 +1128,11 @@ static ares_status_t ares_dns_parse_buf(ares__buf_t *buf, unsigned int flags,
     return ARES_EFORMERR;
   }
 
+  /* Maximum DNS packet size is 64k, even over TCP */
+  if (ares__buf_len(buf) > 0xFFFF) {
+    return ARES_EFORMERR;
+  }
+
   /* All communications inside of the domain protocol are carried in a single
    * format called a message.  The top level format of message is divided
    * into 5 sections (some of which are empty in certain cases) shown below: