diff --git a/NEWS b/NEWS
index e40aeef700419f1c8d99c05b1fadb25396f2006e..5f59c1735c706a924b00cf4b63ac73556435ee8e 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ Security
   (!550, !558, security!2, security!4)
 - increase resilience against slow lorris attack (security!5)
 
+New features
+------------
+- new policy.REFUSE to reply REFUSED to clients
+
 Bugfixes
 --------
 - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index 13c5e25b09d69f76774aa13615c666debf619b25..6ac242acc62fdbdd420071a8f3749d1769571f67 100644
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
 * ``DENY`` - reply NXDOMAIN authoritatively
 * ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
 * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
+* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
 * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
 * ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
 * ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 954b53347179c41098f7511ef54d84a864a400dc..f053a40cee7520451a6f2804e73bd3d2e84b28f6 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -491,6 +491,12 @@ function policy.DROP(_, _)
 	return kres.FAIL
 end
 
+function policy.REFUSE(_, req)
+	local answer = req.answer
+	answer:rcode(kres.rcode.REFUSED)
+	return kres.DONE
+end
+
 function policy.TC(state, req)
 	local answer = req.answer
 	if answer.max_size ~= 65535 then