diff --git a/dnsfilter/dnsfilter_test.go b/dnsfilter/dnsfilter_test.go
index 6515b53d..f0dff6ec 100644
--- a/dnsfilter/dnsfilter_test.go
+++ b/dnsfilter/dnsfilter_test.go
@@ -146,6 +146,12 @@ func TestEtcHostsMatching(t *testing.T) {
 
 // SAFE BROWSING
 
+func TestSafeBrowsingHash(t *testing.T) {
+	q, hashes := hostnameToHashParam("1.2.3.4.5.6")
+	assert.Equal(t, "0132d0fa.b5413b4e.5fa067c1.e7f6c011.", q)
+	assert.Equal(t, 4, len(hashes))
+}
+
 func TestSafeBrowsing(t *testing.T) {
 	d := NewForTest(&Config{SafeBrowsingEnabled: true}, nil)
 	defer d.Close()
diff --git a/dnsfilter/security.go b/dnsfilter/security.go
index 7f2b397a..9de23add 100644
--- a/dnsfilter/security.go
+++ b/dnsfilter/security.go
@@ -157,6 +157,7 @@ func (d *Dnsfilter) checkSafeSearch(host string) (Result, error) {
 }
 
 // for each dot, hash it and add it to string
+// The maximum is 4 components: "a.b.c.d"
 func hostnameToHashParam(host string) (string, map[string]bool) {
 	var hashparam bytes.Buffer
 	hashes := map[string]bool{}
@@ -166,6 +167,18 @@ func hostnameToHashParam(host string) (string, map[string]bool) {
 		tld = ""
 	}
 	curhost := host
+
+	nDots := 0
+	for i := len(curhost) - 1; i >= 0; i-- {
+		if curhost[i] == '.' {
+			nDots++
+			if nDots == 4 {
+				curhost = curhost[i+1:] // "xxx.a.b.c.d" -> "a.b.c.d"
+				break
+			}
+		}
+	}
+
 	for {
 		if curhost == "" {
 			// we've reached end of string