diff --git a/ostp-core/src/dns.rs b/ostp-core/src/dns.rs
index 6463a87..1f1590d 100644
--- a/ostp-core/src/dns.rs
+++ b/ostp-core/src/dns.rs
@@ -136,13 +136,17 @@ impl DnsPacket {
                 qtype: rtype.clone(),
                 qclass: 1, // IN
             }],
-            answers: vec![DnsAnswer {
-                name: name.to_string(),
-                rtype,
-                rclass: 1,
-                ttl: 0, // No caching
-                rdata,
-            }],
+            answers: if rdata.is_empty() {
+                vec![]
+            } else {
+                vec![DnsAnswer {
+                    name: name.to_string(),
+                    rtype,
+                    rclass: 1,
+                    ttl: 0, // No caching
+                    rdata,
+                }]
+            },
         }
     }
 
diff --git a/ostp-server/src/transport/dns.rs b/ostp-server/src/transport/dns.rs
index 2cbaac2..f6a9e95 100644
--- a/ostp-server/src/transport/dns.rs
+++ b/ostp-server/src/transport/dns.rs
@@ -168,9 +168,17 @@ async fn handle_dns_query(
     if dns_req.questions.is_empty() { return; }
     let query = &dns_req.questions[0];
 
-    // Must be TXT query for our subdomain
-    if query.qtype != DnsRecordType::TXT && query.qtype != DnsRecordType::NULL { return; }
-    if !query.name.ends_with(&base_domain) { return; }
+    if query.qtype != DnsRecordType::TXT && query.qtype != DnsRecordType::NULL {
+        let resp = build_dns_response(&dns_req, &query.name, query.qtype.clone(), vec![]);
+        let _ = socket.send_to(&resp, peer).await;
+        return;
+    }
+    if !query.name.ends_with(&base_domain) {
+        let mut resp = DnsPacket::new_response(dns_req.id, &query.name, query.qtype.clone(), vec![]);
+        resp.flags = 0x8183; // NXDOMAIN
+        let _ = socket.send_to(&resp.encode(), peer).await;
+        return;
+    }
 
     // Strip base domain and labels separator to get base32 subdomain
     let subdomain = {