diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 11571dbe23fa9109d31d66d16e72bb6dd77e730b..4e594d721d58db3ad1ce6fcc7543ee348d470e7c 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1662,6 +1662,15 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
 	srtt = addrinfo->srtt;
 
+	/*
+	 * Allow an additional second for the kernel to resend the SYN (or
+	 * SYN without ECN in the case of stupid firewalls blocking ECN
+	 * negotiation) over the current RTT estimate.
+	 */
+	if ((options & DNS_FETCHOPT_TCP) != 0) {
+		srtt += 1000000;
+	}
+
 	/*
 	 * A forwarder needs to make multiple queries. Give it at least
 	 * a second to do these in.