diff --git a/core/dnsserver/register.go b/core/dnsserver/register.go
index e94accc22..176be49b8 100644
--- a/core/dnsserver/register.go
+++ b/core/dnsserver/register.go
@@ -147,7 +147,9 @@ func (h *dnsContext) MakeServers() ([]caddy.Server, error) {
 		c.ListenHosts = c.firstConfigInBlock.ListenHosts
 		c.Debug = c.firstConfigInBlock.Debug
 		c.Stacktrace = c.firstConfigInBlock.Stacktrace
-		c.TLSConfig = c.firstConfigInBlock.TLSConfig
+
+		// Fork TLSConfig for each encrypted connection
+		c.TLSConfig = c.firstConfigInBlock.TLSConfig.Clone()
 		c.TsigSecret = c.firstConfigInBlock.TsigSecret
 	}
 
diff --git a/test/tls_test.go b/test/tls_test.go
index f302d5105..a493d983d 100644
--- a/test/tls_test.go
+++ b/test/tls_test.go
@@ -2,45 +2,66 @@ package test
 
 import (
 	"crypto/tls"
+	"fmt"
 	"testing"
 
 	"github.com/miekg/dns"
 )
 
-func TestDNSoverTLS(t *testing.T) {
-	corefile := `tls://.:1053 {
+func TestTLS(t *testing.T) {
+	tempCorefile := `%s {
         tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem
         whoami
     }`
-	qname := "example.com."
-	qtype := dns.TypeA
+
+	dot, doh := ":1053", ":8443"
+	m := new(dns.Msg)
+	m.SetQuestion("example.com.", dns.TypeA)
 	answerLength := 0
 
-	ex, _, tcp, err := CoreDNSServerAndPorts(corefile)
-	if err != nil {
-		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
-	}
-	defer ex.Stop()
-
-	m := new(dns.Msg)
-	m.SetQuestion(qname, qtype)
-	client := dns.Client{
-		Net:       "tcp-tls",
-		TLSConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	r, _, err := client.Exchange(m, tcp)
-
-	if err != nil {
-		t.Fatalf("Could not exchange msg: %s", err)
+	tests := []struct {
+		server    string
+		tlsConfig *tls.Config
+	}{
+		{fmt.Sprintf("tls://.%s", dot),
+			&tls.Config{InsecureSkipVerify: true},
+		},
+		{fmt.Sprintf("tls://.%s", dot),
+			&tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}},
+		},
+		{fmt.Sprintf("tls://.%s https://.%s", dot, doh),
+			&tls.Config{InsecureSkipVerify: true},
+		},
+		{fmt.Sprintf("tls://.%s https://.%s", dot, doh),
+			&tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}},
+		},
 	}
 
-	if n := len(r.Answer); n != answerLength {
-		t.Fatalf("Expected %v answers, got %v", answerLength, n)
-	}
-	if n := len(r.Extra); n != 2 {
-		t.Errorf("Expected 2 RRs in additional section, but got %d", n)
-	}
-	if r.Rcode != dns.RcodeSuccess {
-		t.Errorf("Expected success but got %d", r.Rcode)
+	for _, tc := range tests {
+		ex, _, _, err := CoreDNSServerAndPorts(fmt.Sprintf(tempCorefile, tc.server))
+		if err != nil {
+			t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+		}
+
+		client := dns.Client{
+			Net:       "tcp-tls",
+			TLSConfig: tc.tlsConfig,
+		}
+		r, _, err := client.Exchange(m, dot)
+
+		if err != nil {
+			t.Fatalf("Could not exchange msg: %s", err)
+		}
+
+		if n := len(r.Answer); n != answerLength {
+			t.Fatalf("Expected %v answers, got %v", answerLength, n)
+		}
+		if n := len(r.Extra); n != 2 {
+			t.Errorf("Expected 2 RRs in additional section, but got %d", n)
+		}
+		if r.Rcode != dns.RcodeSuccess {
+			t.Errorf("Expected success but got %d", r.Rcode)
+		}
+		ex.Stop()
 	}
 }