diff --git a/conduwuit-example.toml b/conduwuit-example.toml
index bcaa5b8f..03029dd5 100644
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -514,6 +514,12 @@ allow_profile_lookup_federation_requests = true
 # The default is to query one nameserver and stop (false).
 #query_all_nameservers = true
 
+# Enables using *only* TCP for querying your specified nameservers instead of UDP.
+#
+# You very likely do *not* want this. hickory-resolver already falls back to TCP on UDP errors.
+# Defaults to false
+#query_over_tcp_only = false
+
 # DNS A/AAAA record lookup strategy
 #
 # Takes a number of one of the following options:
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 5fb1eedc..315e1fb4 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -103,6 +103,8 @@ pub(crate) struct Config {
 	pub(crate) dns_tcp_fallback: bool,
 	#[serde(default = "true_fn")]
 	pub(crate) query_all_nameservers: bool,
+	#[serde(default)]
+	pub(crate) query_over_tcp_only: bool,
 	#[serde(default = "default_ip_lookup_strategy")]
 	pub(crate) ip_lookup_strategy: u8,
 
diff --git a/src/service/globals/resolver.rs b/src/service/globals/resolver.rs
index 3d1acd5d..96ee7382 100644
--- a/src/service/globals/resolver.rs
+++ b/src/service/globals/resolver.rs
@@ -51,6 +51,10 @@ impl Resolver {
 		for sys_conf in sys_conf.name_servers() {
 			let mut ns = sys_conf.clone();
 
+			if config.query_over_tcp_only {
+				ns.protocol = hickory_resolver::config::Protocol::Tcp;
+			}
+
 			ns.trust_negative_responses = !config.query_all_nameservers;
 
 			conf.add_name_server(ns);