diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index a687fbfc9f..4fe22e4b6a 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -41,6 +41,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t   dns_modules[];
 #define DNS_LOGCATEGORY_DNSTAP		(&dns_categories[16])
 #define DNS_LOGCATEGORY_ZONELOAD	(&dns_categories[17])
 #define DNS_LOGCATEGORY_NSID		(&dns_categories[18])
+#define DNS_LOGCATEGORY_RPZ_PASSTHRU	(&dns_categories[19])
 
 /* Backwards compatibility. */
 #define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 5964d1ba49..98163b0ba2 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -20,26 +20,13 @@
  * \#define to <dns/log.h>.
  */
 LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
-	{ "notify", 0 },
-	{ "database", 0 },
-	{ "security", 0 },
-	{ "_placeholder", 0 },
-	{ "dnssec", 0 },
-	{ "resolver", 0 },
-	{ "xfer-in", 0 },
-	{ "xfer-out", 0 },
-	{ "dispatch", 0 },
-	{ "lame-servers", 0 },
-	{ "delegation-only", 0 },
-	{ "edns-disabled", 0 },
-	{ "rpz", 0 },
-	{ "rate-limit", 0 },
-	{ "cname", 0 },
-	{ "spill", 0 },
-	{ "dnstap", 0 },
-	{ "zoneload", 0 },
-	{ "nsid", 0 },
-	{ NULL, 0 }
+	{ "notify", 0 },       { "database", 0 },	 { "security", 0 },
+	{ "_placeholder", 0 }, { "dnssec", 0 },		 { "resolver", 0 },
+	{ "xfer-in", 0 },      { "xfer-out", 0 },	 { "dispatch", 0 },
+	{ "lame-servers", 0 }, { "delegation-only", 0 }, { "edns-disabled", 0 },
+	{ "rpz", 0 },	       { "rate-limit", 0 },	 { "cname", 0 },
+	{ "spill", 0 },	       { "dnstap", 0 },		 { "zoneload", 0 },
+	{ "nsid", 0 },	       { "rpz-passthru", 0 },	 { NULL, 0 }
 };
 
 /*%
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 8f1a8b1162..9d3ca90df9 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -1164,8 +1164,12 @@ rpz_log_rewrite(ns_client_t *client, bool disabled, dns_rpz_policy_t policy,
 	dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf));
 	dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
 
-	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
-		      DNS_RPZ_INFO_LEVEL,
+	/* It's possible to have a separate log channel for rpz passthru. */
+	isc_logcategory_t *log_cat = (policy == DNS_RPZ_POLICY_PASSTHRU)
+					     ? DNS_LOGCATEGORY_RPZ_PASSTHRU
+					     : DNS_LOGCATEGORY_RPZ;
+
+	ns_client_log(client, log_cat, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL,
 		      "%srpz %s %s rewrite %s/%s/%s via %s%s%s%s",
 		      disabled ? "disabled " : "", dns_rpz_type2str(type),
 		      dns_rpz_policy2str(policy), qname_buf, typebuf, classbuf,