diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7b09edf207..da9083010e 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1919,6 +1919,15 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
 	srtt = addrinfo->srtt;
 
+	/*
+	 * Allow an additional second for the kernel to resend the SYN (or
+	 * SYN without ECN in the case of stupid firewalls blocking ECN
+	 * negotiation) over the current RTT estimate.
+	 */
+	if ((options & DNS_FETCHOPT_TCP) != 0) {
+		srtt += 1000000;
+	}
+
 	/*
 	 * A forwarder needs to make multiple queries. Give it at least
 	 * a second to do these in.