diff --git a/proxy/beforerequest.go b/proxy/beforerequest.go
index c5246d66a..9fe68311a 100644
--- a/proxy/beforerequest.go
+++ b/proxy/beforerequest.go
@@ -43,9 +43,9 @@ type BeforeRequestHandler interface {
 	// set accordingly.
 	//
 	// If returned err is a [BeforeRequestError], the given response message is
-	// used, on any other error processed at all.  If err is nil, the request is
-	// processed further.  [Proxy] assumes a handler itself doesn't set the
-	// [DNSContext.Res] field.
+	// used, on any other error a SERVFAIL response used.  If err is nil, the
+	// request is processed further.  [Proxy] assumes a handler itself doesn't
+	// set the [DNSContext.Res] field.
 	HandleBefore(p *Proxy, dctx *DNSContext) (err error)
 }
 
@@ -72,13 +72,14 @@ func (p *Proxy) handleBefore(d *DNSContext) (cont bool) {
 
 	log.Debug("dnsproxy: handling before request: %s", err)
 
-	befReqErr := new(*BeforeRequestError)
-	if errors.As(err, befReqErr) {
+	if befReqErr := new(*BeforeRequestError); errors.As(err, befReqErr) {
 		d.Res = (*befReqErr).Response
-
-		p.logDNSMessage(d.Res)
-		p.respond(d)
+	} else {
+		d.Res = p.messages.NewMsgSERVFAIL(d.Req)
 	}
 
+	p.logDNSMessage(d.Res)
+	p.respond(d)
+
 	return false
 }