diff --git a/app.go b/app.go
index a31d126c..0ba9a765 100644
--- a/app.go
+++ b/app.go
@@ -197,6 +197,7 @@ func run(args options) {
 				Addr: address,
 				TLSConfig: &tls.Config{
 					Certificates: []tls.Certificate{cert},
+					MinVersion:   tls.VersionTLS12,
 				},
 			}
 
diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go
index 6404a995..224f4b28 100644
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -175,7 +175,10 @@ func (s *Server) startInternal(config *ServerConfig) error {
 		if err != nil {
 			return errorx.Decorate(err, "Failed to parse TLS keypair")
 		}
-		proxyConfig.TLSConfig = &tls.Config{Certificates: []tls.Certificate{keypair}}
+		proxyConfig.TLSConfig = &tls.Config{
+			Certificates: []tls.Certificate{keypair},
+			MinVersion:   tls.VersionTLS12,
+		}
 	}
 
 	if proxyConfig.UDPListenAddr == nil {
diff --git a/dnsforward/dnsforward_test.go b/dnsforward/dnsforward_test.go
index c068d0ef..b568d4e0 100644
--- a/dnsforward/dnsforward_test.go
+++ b/dnsforward/dnsforward_test.go
@@ -101,7 +101,11 @@ func TestDotServer(t *testing.T) {
 	// Add our self-signed generated config to roots
 	roots := x509.NewCertPool()
 	roots.AppendCertsFromPEM(certPem)
-	tlsConfig := &tls.Config{ServerName: tlsServerName, RootCAs: roots}
+	tlsConfig := &tls.Config{
+		ServerName: tlsServerName,
+		RootCAs:    roots,
+		MinVersion: tls.VersionTLS12,
+	}
 
 	// Create a DNS-over-TLS client connection
 	addr := s.dnsProxy.Addr(proxy.ProtoTLS)
@@ -459,7 +463,7 @@ func createServerTLSConfig(t *testing.T) (*tls.Config, []byte, []byte) {
 		t.Fatalf("failed to create certificate: %s", err)
 	}
 
-	return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: tlsServerName}, certPem, keyPem
+	return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: tlsServerName, MinVersion: tls.VersionTLS12}, certPem, keyPem
 }
 
 func createDataDir(t *testing.T) string {