diff --git a/CHANGES b/CHANGES
index 912e0018fe..fc005b8a55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5376.	[bug]		Fix DNS ineffective rebinding protection when BIND 9
+			is configured as a forwarding DNS server. [GL #1574]
+			(Thanks to Tobias Klein)
+
 5358.	[bug]		Inline master zones whose master files were touched
 			but otherwise unchanged and were subsequently reloaded
 			may have stopped re-signing. [GL !3135]
diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
new file mode 100644
index 0000000000..f0b4b9cc6f
--- /dev/null
+++ b/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index 643e1271b5..fee76b41e5 100644
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -55,3 +55,8 @@ zone "grafted" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+	type master;
+	file "malicious.db";
+};
diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
index f86de1a424..6742222d4d 100644
--- a/bin/tests/system/forward/ns5/named.conf.in
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	listen-on-v6 { none; };
 	forward only;
 	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
 	dnssec-validation yes;
 };
 
@@ -26,3 +27,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "rebind" {
+	type master;
+	file "rebind.db";
+};
diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
new file mode 100644
index 0000000000..4741e8c4c3
--- /dev/null
+++ b/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index d76cd59217..fc3822cfb6 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -217,5 +217,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml
index e0f96ed5c6..68130aa4ad 100644
--- a/doc/arm/notes-9.14.12.xml
+++ b/doc/arm/notes-9.14.12.xml
@@ -11,6 +11,18 @@
 
 <section xml:id="relnotes-9.14.12"><info><title>Notes for BIND 9.14.12</title></info>
 
+  <section xml:id="relnotes-9.14.12-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+	  DNS rebinding protection was ineffective when BIND 9 is configured as
+	  a forwarding DNS server.  Found and responsibly reported by Tobias
+	  Klein.  [GL #1574]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
   <section xml:id="relnotes-9.14.12-bugs"><info><title>Bug Fixes</title></info>
     <itemizedlist>
       <listitem>
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 1ccc043117..73fc5763dc 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6985,9 +6985,15 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain))
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
+	}
 
 	/*
 	 * Otherwise, apply filters.