diff --git a/services/ns/resolver.nix b/services/ns/resolver.nix
index 4c17e6d..08c0341 100644
--- a/services/ns/resolver.nix
+++ b/services/ns/resolver.nix
@@ -38,6 +38,12 @@
         do-udp = "yes";
         do-tcp = "yes";
         extended-statistics = true;
+
+        # Recover faster from upstream failures (e.g. ISP outage)
+        # Default 900s is too long - keeps marking servers as bad
+        infra-host-ttl = 120;
+        # Clean up stale TLS connections faster (default 60s)
+        tcp-reuse-timeout = 15;
       };
       remote-control = {
         control-enable = true;