diff --git a/CHANGES b/CHANGES
index 3e9f88ea64..1cf1596d54 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
+			which caused known-bogus servers to be queried
+			anyway. [RT #41321]
+
 4287.	[bug]		Silence an overly noisy log message when message
 			parsing fails. [RT #41374]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 768f7c422e..27756557c9 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -759,6 +759,13 @@
   </section>
   <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  Authoritative servers that were marked as bogus (e.g. blackholed
+	  in configuration or with invalid addresses) were being queried
+	  anyway. [RT #41321]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  Some of the options for GeoIP ACLs, including "areacode",
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a331d38053..3e5d5a24aa 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -3477,9 +3477,6 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) {
 	    bogus)
 		aborted = ISC_TRUE;
 
-	if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
-		return;
-
 	if (aborted) {
 		addr->flags |= FCTX_ADDRINFO_MARK;
 		msg = "ignoring blackholed / bogus server: ";
@@ -3503,9 +3500,11 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) {
 	} else
 		return;
 
-	isc_netaddr_fromsockaddr(&na, sa);
-	isc_netaddr_format(&na, buf, sizeof(buf));
-	FCTXTRACE2(msg, buf);
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+		isc_netaddr_fromsockaddr(&na, sa);
+		isc_netaddr_format(&na, buf, sizeof(buf));
+		FCTXTRACE2(msg, buf);
+	}
 }
 
 static inline dns_adbaddrinfo_t *