diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 4867ff0426e..8127b02c005 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -590,6 +590,11 @@ int dns_query_new(
                 if (question_utf8 || question_idna)
                         return -EINVAL;
 
+                DnsQuestion *filtered_question_bypass = NULL;
+                r = manager_validate_and_mangle_question(m, &question_bypass->question, &filtered_question_bypass);
+                if (r < 0)
+                        return r;
+
         } else {
                 bool good = false;
 
diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 1b2f317532f..b20b6bd252e 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -1121,6 +1121,32 @@ testcase_14_refuse_record_types() {
     run dig localhost -t A
     grep -qF "status: NOERROR" "$RUN_OUT"
 
+    # Test DNS Proxy
+    run dig @127.0.0.54 localhost -t AAAA
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t SRV
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t TXT
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t A
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
+    # Test DNSSEC
+    run dig localhost -t AAAA +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t SRV +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t TXT +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t A +dnssec +answer
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
     run resolvectl query localhost5
     grep -qF "127.128.0.5" "$RUN_OUT"