diff --git a/internal/configuration/settings.go b/internal/configuration/settings.go
index e5a4f6e7..386e9040 100644
--- a/internal/configuration/settings.go
+++ b/internal/configuration/settings.go
@@ -85,6 +85,10 @@ func (settings *Settings) Read(env params.Env, os os.OS, logger logging.Logger)
 		return err
 	}
 
+	if ip := settings.DNS.PlaintextAddress; ip != nil {
+		settings.Updater.DNSAddress = ip.String()
+	}
+
 	if err := settings.PublicIP.read(r); err != nil {
 		return err
 	}
diff --git a/internal/configuration/updater.go b/internal/configuration/updater.go
index 574477f2..1f554859 100644
--- a/internal/configuration/updater.go
+++ b/internal/configuration/updater.go
@@ -51,7 +51,11 @@ func (settings *Updater) read(r reader) (err error) {
 	settings.Windscribe = true
 	settings.Stdout = false
 	settings.CLI = false
-	settings.DNSAddress = "127.0.0.1"
+	// use cloudflare in plaintext to not be blocked by DNS over TLS by default.
+	// If a plaintext address is set in the DNS settings, this one will be used.
+	// TODO use custom future encrypted DNS written in Go without blocking
+	// as it's too much trouble to start another parallel unbound instance for now.
+	settings.DNSAddress = "1.1.1.1"
 
 	settings.Period, err = r.env.Duration("UPDATER_PERIOD", params.Default("0"))
 	if err != nil {