diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index c5e98ec7884..8ff0d92e9c0 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1221,6 +1221,7 @@ struct ndpi_flow_struct {
     struct {
       u_int8_t num_queries, num_answers, reply_code, is_query;
       u_int16_t query_type, query_class, rsp_type;
+      u_int32_t answer_ttl;
       ndpi_ip_addr_t rsp_addr; /* The first address in a DNS response packet */
     } dns;
 
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 6537b8b2e0d..51eb20eb570 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -140,6 +140,16 @@ static u_int16_t get16(int *i, const u_int8_t *payload) {
 
 /* *********************************************** */
 
+static u_int32_t get32(int *i, const u_int8_t *payload) {
+  u_int32_t v = *(u_int32_t*)&payload[*i];
+
+  (*i) += 4;
+
+  return(ntohl(v));
+}
+
+/* *********************************************** */
+
 static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
   if(i >= payloadLen)
     return(0);
@@ -287,8 +297,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 
 	  /* here x points to the response "class" field */
 	  if((x+12) <= packet->payload_packet_len) {
-	    x += 6;
-	    data_len = get16(&x, packet->payload);
+        x += 2;
+        uint32_t ttl = get32(&x,packet->payload);
+        flow->protos.dns.answer_ttl = ttl;
+        data_len = get16(&x, packet->payload);
 
 	    if((x + data_len) <= packet->payload_packet_len) {
 	      // printf("[rsp_type: %u][data_len: %u]\n", rsp_type, data_len);