diff --git a/nameserver/nameserver.go b/nameserver/nameserver.go
index 71e11c3e..f89ad827 100644
--- a/nameserver/nameserver.go
+++ b/nameserver/nameserver.go
@@ -150,6 +150,12 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 		// For undecided or accepted connections we don't save them yet, because
 		// that will happen later anyway.
 		case network.VerdictUndecided, network.VerdictAccept:
+			// Check if we have a response.
+			if rrCache == nil {
+				conn.Failed("internal error: no reply", "")
+				return
+			}
+
 			// Save the request as open, as we don't know if there will be a connection or not.
 			network.SaveOpenDNSRequest(q, rrCache, conn)
 			firewall.UpdateIPsAndCNAMEs(q, rrCache, conn)
@@ -191,6 +197,7 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 	rrCache, err = resolver.Resolve(ctx, q)
 	// Handle error.
 	if err != nil {
+		conn.Failed(fmt.Sprintf("query failed: %s", err), "")
 		switch {
 		case errors.Is(err, resolver.ErrNotFound):
 			tracer.Tracef("nameserver: %s", err)
diff --git a/network/dns.go b/network/dns.go
index 2d5f56ee..e7c88e77 100644
--- a/network/dns.go
+++ b/network/dns.go
@@ -52,7 +52,7 @@ func removeOpenDNSRequest(pid int, fqdn string) {
 // SaveOpenDNSRequest saves a dns request connection that was allowed to proceed.
 func SaveOpenDNSRequest(q *resolver.Query, rrCache *resolver.RRCache, conn *Connection) {
 	// Only save requests that actually went out to reduce clutter.
-	if rrCache.ServedFromCache {
+	if rrCache == nil || rrCache.ServedFromCache {
 		return
 	}