diff --git a/rust/connlib/tunnel/src/dns.rs b/rust/connlib/tunnel/src/dns.rs
index 8f40b518b..7d279571c 100644
--- a/rust/connlib/tunnel/src/dns.rs
+++ b/rust/connlib/tunnel/src/dns.rs
@@ -211,11 +211,21 @@ impl StubResolver {
         dns_mapping: &bimap::BiMap<IpAddr, DnsServer>,
         packet: &IpPacket,
     ) -> Option<ResolveStrategy> {
-        let upstream = dns_mapping.get_by_left(&packet.destination())?.address();
-        let datagram = packet.as_udp()?;
+        let dst = packet.destination();
+        let _guard = tracing::debug_span!("packet", %dst);
+        let upstream = dns_mapping.get_by_left(&dst)?.address();
 
-        // We only support DNS on port 53.
-        if datagram.destination_port() != DNS_PORT {
+        let Some(datagram) = packet.as_udp() else {
+            let protocol = packet.next_header().keyword_str().unwrap_or("unassigned");
+
+            tracing::debug!(%protocol, "DNS is only supported over UDP");
+            return None;
+        };
+
+        let port = datagram.destination_port();
+
+        if port != DNS_PORT {
+            tracing::debug!(%port, "DNS over UDP is only supported on port 53");
             return None;
         }
 
diff --git a/rust/ip-packet/src/lib.rs b/rust/ip-packet/src/lib.rs
index dbbe1cc9f..a6f287384 100644
--- a/rust/ip-packet/src/lib.rs
+++ b/rust/ip-packet/src/lib.rs
@@ -732,7 +732,7 @@ impl<'a> IpPacket<'a> {
         }
     }
 
-    fn next_header(&self) -> IpNumber {
+    pub fn next_header(&self) -> IpNumber {
         match self {
             Self::Ipv4(p) => p.ip_header().protocol(),
             Self::Ipv6(p) => p.header().next_header(),