diff --git a/CHANGES b/CHANGES
index bf15b5b567..39aee677a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5522.	[bug]		Fix a race/NULL dereference in TCPDNS. [GL #2227]
+
 5520.	[bug]		Fixed a number of shutdown races, reference counting
 			errors, and spurious log messages that could occur
 			in the network manager. [GL #2221]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 6c6020625c..cd79407d20 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -41,3 +41,6 @@ Bug Fixes
 
 - Handle `UV_EOF` differently such that it is not treated as a `TCP4RecvErr` or
   `TCP6RecvErr`. [GL #2208]
+
+- ``named`` could crash with an assertion failure if a TCP connection is closed
+  while the request is still processing. [GL #2227]
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index 6a20ea4c7c..63391273cb 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -596,9 +596,16 @@ isc__nm_tcpdns_send(isc_nmhandle_t *handle, isc_region_t *region,
 
 		r.base = (unsigned char *)uvreq->uvbuf.base;
 		r.length = uvreq->uvbuf.len;
-
-		isc_nmhandle_attach(sock->outerhandle, &sendhandle);
-		isc_nm_send(sock->outerhandle, &r, tcpdnssend_cb, uvreq);
+		if (sock->outerhandle != NULL) {
+			isc_nmhandle_attach(sock->outerhandle, &sendhandle);
+			isc_nm_send(sock->outerhandle, &r, tcpdnssend_cb,
+				    uvreq);
+		} else {
+			cb(handle, ISC_R_CANCELED, cbarg);
+			isc_mem_put(sock->mgr->mctx, uvreq->uvbuf.base,
+				    uvreq->uvbuf.len);
+			isc__nm_uvreq_put(&uvreq, sock);
+		}
 	} else {
 		isc__netievent_tcpdnssend_t *ievent = NULL;