I made significant progress. It turned out I need the flag kDNSServiceFlagsReturnIntermediates to return errors and intermediate CNAME records. (I was already checking kDNSServiceFlagsMoreComing in the callback to keep iterating over the answers) The flags documentation is completely missing, but the source code lists all the flags, with comprehensive comments: https://opensource.apple.com/source/mDNSResponder/mDNSResponder-878.70.2/mDNSShared/dns_sd.h.auto.html I'm almost there! I can now get negative responses. However, there's still a problem. If the system already has a CNAME chain cached, but not the address record, it will return the CNAME chain immediately, with the last CNAME record with the kDNSServiceFlagsMoreComing == 0. I believe the A/AAAA record will come later, but with the "more coming" == 0 I can't tell there will be more results. So should I wait, or should I consider that an error? Next, I'm going to try stopping only once the response record type matches the question, or I hit an error.

Another data point: I can see the request being sent on Wireshark, and the negative response coming back, but my code never gets notified about it.