diff --git a/firewall/bypassing.go b/firewall/bypassing.go
index 602fbea2..7416cc93 100644
--- a/firewall/bypassing.go
+++ b/firewall/bypassing.go
@@ -15,7 +15,7 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
 	if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
 		return endpoints.Denied,
 			"blocked canary domain to prevent enabling of DNS-over-HTTPs",
-			nsutil.NxDomain("blocked canary domain to prevent enabling of DNS-over-HTTPs")
+			nsutil.NxDomain("")
 	}
 
 	return endpoints.NoMatch, "", nil
diff --git a/resolver/resolver-tcp.go b/resolver/resolver-tcp.go
index c777b71c..54a7a8f5 100644
--- a/resolver/resolver-tcp.go
+++ b/resolver/resolver-tcp.go
@@ -76,7 +76,7 @@ func NewTCPResolver(resolver *Resolver) *TCPResolver {
 		clientHeartbeat: make(chan struct{}),
 		clientCancel:    func() {},
 		connInstanceID:  &instanceID,
-		queries:         make(chan *dns.Msg, 1000),
+		queries:         make(chan *dns.Msg, 100),
 		inFlightQueries: make(map[uint16]*InFlightQuery),
 	}
 }
@@ -187,6 +187,7 @@ func (tr *TCPResolver) checkClientStatus() {
 	select {
 	case tr.clientHeartbeat <- struct{}{}:
 	case <-time.After(defaultRequestTimeout):
+		log.Warningf("resolver: heartbeat failed for %s dns client, stopping", tr.resolver.GetName())
 		cancelClient()
 	}
 }