diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 6db973d838..dee771bb44 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -632,6 +632,13 @@ int dns_query_new(
                 if (question_utf8 || question_idna)
                         return -EINVAL;
 
+                assert(dns_question_size(question_bypass->question) == 1);
+
+                /* In bypass mode we'll never mangle the question, but only deny or allow. (In bypass mode
+                 * there's only going to be one entry in the query, hence there's no point in mangling
+                 * questions, i.e. leaving some entries in and removing others.) */
+                if (test_refuse_record_types(m->refuse_record_types, question_bypass->question) != REFUSE_GOOD)
+                        return -ENOANO;
         } else {
                 bool good = false;
 
diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 823e404e28..c4ed53ec6c 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -1143,15 +1143,27 @@ testcase_14_refuse_record_types() {
     run dig localhost -t AAAA
     grep -qF "status: REFUSED" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t AAAA
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
     run dig localhost -t SRV
     grep -qF "status: REFUSED" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t SRV
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
     run dig localhost -t TXT
     grep -qF "status: REFUSED" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t TXT
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
     run dig localhost -t A
     grep -qF "status: NOERROR" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t A
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
     run resolvectl query localhost5
     grep -qF "127.128.0.5" "$RUN_OUT"
 
@@ -1180,12 +1192,21 @@ testcase_14_refuse_record_types() {
     run dig localhost -t SRV
     grep -qF "status: NOERROR" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t SRV
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
     run dig localhost -t TXT
     grep -qF "status: NOERROR" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t TXT
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
     run dig localhost -t AAAA
     grep -qF "status: REFUSED" "$RUN_OUT"
 
+    run dig localhost @127.0.0.54 -t AAAA
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
     (! run resolvectl query localhost5 --type=SRV)
     grep -qF "does not have any RR of the requested type" "$RUN_OUT"