diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 51bc368bf6..645a3e12cb 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain)) {
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
 	}