diff --git a/docs/settings.rst b/docs/settings.rst
index 35a65cfd9fcc..0087c07f5f94 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -785,6 +785,21 @@ the server will return NODATA for A/AAAA queries for such names.
   In PowerDNS Authoritative Server 4.0.x, this setting did not exist and
   ALIAS was always expanded.
 
+.. _setting-resolve-across-domains:
+
+``resolve-across-domains``
+--------------------------
+
+-  Boolean
+-  Default: yes
+
+If this is enabled, CNAME records and other referrals will be resolved as long as their targets exist in any local backend.
+Can be disabled to allow for different authorities managing zones in the same server instance.
+
+Referrals not available in local backends are never resolved.
+SVCB referrals are never resolved across domains.
+ALIAS is not impacted by this setting.
+
 .. _setting-forward-dnsupdate:
 
 ``forward-dnsupdate``
diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
index 72e05c9e6e7f..3c85a8bc423c 100644
--- a/pdns/auth-main.cc
+++ b/pdns/auth-main.cc
@@ -309,6 +309,7 @@ static void declareArguments()
 
   ::arg().setSwitch("expand-alias", "Expand ALIAS records") = "no";
   ::arg().set("outgoing-axfr-expand-alias", "Expand ALIAS records during outgoing AXFR") = "no";
+  ::arg().setSwitch("resolve-across-domains", "Resolve CNAME targets and other referrals across local domains") = "yes";
   ::arg().setSwitch("8bit-dns", "Allow 8bit dns queries") = "no";
 #ifdef HAVE_LUA_RECORDS
   ::arg().setSwitch("enable-lua-records", "Process LUA records for all zones (metadata overrides this)") = "no";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 3d385ed7b54c..c53ee37b8d52 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -69,6 +69,7 @@ PacketHandler::PacketHandler():B(g_programname), d_dk(&B)
   ++s_count;
   d_doDNAME=::arg().mustDo("dname-processing");
   d_doExpandALIAS = ::arg().mustDo("expand-alias");
+  d_doResolveAcrossDomains = ::arg().mustDo("resolve-across-domains");
   d_logDNSDetails= ::arg().mustDo("log-dns-details");
   string fname= ::arg()["lua-prequery-script"];
 
@@ -1336,6 +1337,7 @@ bool PacketHandler::tryWildcard(DNSPacket& p, std::unique_ptr<DNSPacket>& r, DNS
 }
 
 //! Called by the Distributor to ask a question. Returns 0 in case of an error
+// NOLINTNEXTLINE(readability-function-cognitive-complexity)
 std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
 {
   DNSZoneRecord rr;
@@ -1524,12 +1526,17 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
     }
     DLOG(g_log<<Logger::Error<<"We have authority, zone='"<<d_sd.qname<<"', id="<<d_sd.domain_id<<endl);
 
+    if (retargetcount == 0) {
+      r->qdomainzone = d_sd.qname;
+    } else if (!d_doResolveAcrossDomains && r->qdomainzone != d_sd.qname) {
+      // We are following a retarget outside the initial domain. Config asked us not to do that.
+      goto sendit;  // NOLINT(cppcoreguidelines-avoid-goto)
+    }
+
     authSet.insert(d_sd.qname);
     d_dnssec=(p.d_dnssecOk && d_dk.isSecuredZone(d_sd.qname));
     doSigs |= d_dnssec;
 
-    if(!retargetcount) r->qdomainzone=d_sd.qname;
-
     if(d_sd.qname==p.qdomain) {
       if(!d_dk.isPresigned(d_sd.qname)) {
         if(p.qtype.getCode() == QType::DNSKEY)
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 8af3bde2c9a8..938cbd4971c5 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -113,6 +113,7 @@ private:
   bool d_logDNSDetails;
   bool d_doDNAME;
   bool d_doExpandALIAS;
+  bool d_doResolveAcrossDomains;
   bool d_dnssec{false};
   SOAData d_sd;
   std::unique_ptr<AuthLua4> d_pdl;