diff --git a/firewall/dns.go b/firewall/dns.go
index d6421e2e..d9a868cb 100644
--- a/firewall/dns.go
+++ b/firewall/dns.go
@@ -104,7 +104,7 @@ func filterDNSResponse(conn *network.Connection, rrCache *resolver.RRCache) *res
 	rrCache.Answer, filteredRecords, validIPs = filterDNSSection(rrCache.Answer, p, rrCache.ServerScope)
 	rrCache.FilteredEntries = append(rrCache.FilteredEntries, filteredRecords...)
 
-	// FIXME(ppacher): should we consider valid IPs from the extra section?
+	// we don't count the valid IPs in the extra section
 	rrCache.Extra, filteredRecords, _ = filterDNSSection(rrCache.Extra, p, rrCache.ServerScope)
 	rrCache.FilteredEntries = append(rrCache.FilteredEntries, filteredRecords...)
 
diff --git a/intel/block_reason.go b/intel/block_reason.go
index 040d6c01..09b89db2 100644
--- a/intel/block_reason.go
+++ b/intel/block_reason.go
@@ -83,7 +83,7 @@ func (br ListBlockReason) ToRRs() []dns.RR {
 			wouldBeBlockedBy, err := dns.NewRR(fmt.Sprintf(
 				"%s-wouldBeBlockedBy.		0	IN	TXT 	%q",
 				strings.TrimRight(lm.Entity, "."),
-				strings.Join(lm.ActiveLists, ","),
+				strings.Join(lm.InactiveLists, ","),
 			))
 			if err == nil {
 				rrs = append(rrs, wouldBeBlockedBy)