diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go
index 1887c6e2b75..36f5445e569 100644
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -51,7 +51,8 @@ type Server struct {
 	stats      stats.Stats
 	access     *accessCtx
 
-	tableReverse map[string]string // "IP -> hostname" table for reverse lookup
+	tablePTR     map[string]string // "IP -> hostname" table for reverse lookup
+	tablePTRLock sync.Mutex
 
 	// DNS proxy instance for internal usage
 	// We don't Start() it and so no listen port is required.
diff --git a/dnsforward/handle_dns.go b/dnsforward/handle_dns.go
index 0f2f6bafe23..462f37501ea 100644
--- a/dnsforward/handle_dns.go
+++ b/dnsforward/handle_dns.go
@@ -111,15 +111,16 @@ func (s *Server) onDHCPLeaseChanged(flags int) {
 		m[l.IP.String()] = l.Hostname
 	}
 	log.Debug("DNS: added %d PTR entries from DHCP", len(m))
-	s.tableReverse = m
+	s.tablePTRLock.Lock()
+	s.tablePTR = m
+	s.tablePTRLock.Unlock()
 }
 
 // Respond to PTR requests if the target IP address is leased by our DHCP server
 func processInternalIPAddrs(ctx *dnsContext) int {
 	s := ctx.srv
 	req := ctx.proxyCtx.Req
-	if req.Question[0].Qtype != dns.TypePTR ||
-		s.tableReverse == nil {
+	if req.Question[0].Qtype != dns.TypePTR {
 		return resultDone
 	}
 
@@ -131,7 +132,13 @@ func processInternalIPAddrs(ctx *dnsContext) int {
 		return resultDone
 	}
 
-	host, ok := s.tableReverse[ip.String()]
+	s.tablePTRLock.Lock()
+	if s.tablePTR == nil {
+		s.tablePTRLock.Unlock()
+		return resultDone
+	}
+	host, ok := s.tablePTR[ip.String()]
+	s.tablePTRLock.Unlock()
 	if !ok {
 		return resultDone
 	}