diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 9b296e7aa6..c0bb40937a 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -737,18 +737,9 @@ int dns_query_go(DnsQuery *q) {
 
         LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
                 DnsScopeMatch match;
-                const char *name;
-
-                name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
-                if (!name)
-                        continue;
-
-                match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
-                if (match < 0) {
-                        log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
-                        continue;
-                }
 
+                match = dns_scope_good_domain(s, q);
+                assert(match >= 0);
                 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
                                       * that matches this well */
                         found = match;
@@ -773,18 +764,9 @@ int dns_query_go(DnsQuery *q) {
 
         LIST_FOREACH(scopes, s, first->scopes_next) {
                 DnsScopeMatch match;
-                const char *name;
-
-                name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
-                if (!name)
-                        continue;
-
-                match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
-                if (match < 0) {
-                        log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
-                        continue;
-                }
 
+                match = dns_scope_good_domain(s, q);
+                assert(match >= 0);
                 if (match < found)
                         continue;
 
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index c3a2e2fc60..16c5e0094c 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -584,11 +584,13 @@ static DnsScopeMatch match_subnet_reverse_lookups(
 
 DnsScopeMatch dns_scope_good_domain(
                 DnsScope *s,
-                int ifindex,
-                uint64_t flags,
-                const char *domain) {
+                DnsQuery *q) {
 
+        DnsQuestion *question;
         DnsSearchDomain *d;
+        const char *domain;
+        uint64_t flags;
+        int ifindex;
 
         /* This returns the following return values:
          *
@@ -602,7 +604,18 @@ DnsScopeMatch dns_scope_good_domain(
          */
 
         assert(s);
-        assert(domain);
+        assert(q);
+
+        question = dns_query_question_for_protocol(q, s->protocol);
+        if (!question)
+                return DNS_SCOPE_NO;
+
+        domain = dns_question_first_name(question);
+        if (!domain)
+                return DNS_SCOPE_NO;
+
+        ifindex = q->ifindex;
+        flags = q->flags;
 
         /* Checks if the specified domain is something to look up on this scope. Note that this accepts
          * non-qualified hostnames, i.e. those without any search path suffixed. */
@@ -613,10 +626,6 @@ DnsScopeMatch dns_scope_good_domain(
         if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0)
                 return DNS_SCOPE_NO;
 
-        /* Never resolve empty name. */
-        if (dns_name_is_empty(domain))
-                return DNS_SCOPE_NO;
-
         /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on
          * synthesized RRs for these. */
         if (is_localhost(domain) ||
@@ -639,6 +648,22 @@ DnsScopeMatch dns_scope_good_domain(
                 DnsScopeMatch m;
                 int n_best = -1;
 
+                if (dns_name_is_empty(domain)) {
+                        DnsResourceKey *t;
+                        bool found = false;
+
+                        /* Refuse empty name if only A and/or AAAA records are requested. */
+
+                        DNS_QUESTION_FOREACH(t, question)
+                                if (!IN_SET(t->type, DNS_TYPE_A, DNS_TYPE_AAAA)) {
+                                        found = true;
+                                        break;
+                                }
+
+                        if (!found)
+                                return DNS_SCOPE_NO;
+                }
+
                 /* Never route things to scopes that lack DNS servers */
                 if (!dns_scope_get_dns_server(s))
                         return DNS_SCOPE_NO;
diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h
index a2b9546b38..1f9d22b7d1 100644
--- a/src/resolve/resolved-dns-scope.h
+++ b/src/resolve/resolved-dns-scope.h
@@ -10,7 +10,7 @@ typedef struct DnsScope DnsScope;
 #include "resolved-dns-cache.h"
 #include "resolved-dns-dnssec.h"
 #include "resolved-dns-packet.h"
-
+#include "resolved-dns-query.h"
 #include "resolved-dns-search-domain.h"
 #include "resolved-dns-server.h"
 #include "resolved-dns-stream.h"
@@ -76,7 +76,7 @@ int dns_scope_emit_udp(DnsScope *s, int fd, int af, DnsPacket *p);
 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address);
 int dns_scope_socket_udp(DnsScope *s, DnsServer *server);
 
-DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain);
+DnsScopeMatch dns_scope_good_domain(DnsScope *s, DnsQuery *q);
 bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key);
 
 DnsServer *dns_scope_get_dns_server(DnsScope *s);