diff --git a/firewall/dns.go b/firewall/dns.go
index 5c3542f1..498d3a52 100644
--- a/firewall/dns.go
+++ b/firewall/dns.go
@@ -177,6 +177,15 @@ func FilterResolvedDNS(
 		return rrCache
 	}
 
+	// Finalize verdict.
+	defer func() {
+		// Reset from previous filtering.
+		conn.Verdict.Active = network.VerdictUndecided
+		conn.Verdict.Worst = network.VerdictUndecided
+		// Update all values again.
+		finalizeVerdict(conn)
+	}()
+
 	// special grant for connectivity domains
 	if checkConnectivityDomain(ctx, conn, layeredProfile, nil) {
 		// returns true if check triggered