diff --git a/netenv/online-status.go b/netenv/online-status.go
index 099e438e..c5983f7c 100644
--- a/netenv/online-status.go
+++ b/netenv/online-status.go
@@ -39,6 +39,9 @@ var (
 	DNSTestDomain     = "one.one.one.one."
 	DNSTestExpectedIP = net.IPv4(1, 1, 1, 1)
 
+	DNSFallbackTestDomain     = "dns-check.safing.io."
+	DNSFallbackTestExpectedIP = net.IPv4(0, 65, 67, 75) // Ascii: \0ACK
+
 	// SpecialCaptivePortalDomain is the domain name used to point to the detected captive portal IP
 	// or the captive portal test IP. The default value should be overridden by the resolver package,
 	// which defines the custom internal domain name to use.
@@ -47,7 +50,8 @@ var (
 	// ConnectivityDomains holds all connectivity domains. This slice must not be modified.
 	ConnectivityDomains = []string{
 		SpecialCaptivePortalDomain,
-		"one.one.one.one.", // Internal DNS Check
+		DNSTestDomain,         // Internal DNS Check
+		DNSFallbackTestDomain, // Internal DNS Check
 
 		// Windows
 		"dns.msftncsi.com.", // DNS Check
@@ -438,15 +442,27 @@ func checkOnlineStatus(ctx context.Context) {
 
 	// 3) resolve a query
 
-	// make DNS request
+	// Check with primary dns check domain.
 	ips, err := net.LookupIP(DNSTestDomain)
+	if err == nil {
+		// check for expected response
+		for _, ip := range ips {
+			if ip.Equal(DNSTestExpectedIP) {
+				updateOnlineStatus(StatusOnline, nil, "all checks passed")
+				return
+			}
+		}
+	}
+
+	// If that did not work, check with fallback dns check domain.
+	ips, err = net.LookupIP(DNSFallbackTestDomain)
 	if err != nil {
-		updateOnlineStatus(StatusSemiOnline, nil, "dns check query failed")
+		updateOnlineStatus(StatusLimited, nil, "dns fallback check query failed")
 		return
 	}
 	// check for expected response
 	for _, ip := range ips {
-		if ip.Equal(DNSTestExpectedIP) {
+		if ip.Equal(DNSFallbackTestExpectedIP) {
 			updateOnlineStatus(StatusOnline, nil, "all checks passed")
 			return
 		}
diff --git a/profile/config.go b/profile/config.go
index d819cbe6..617e51e7 100644
--- a/profile/config.go
+++ b/profile/config.go
@@ -521,7 +521,7 @@ Current Features:
 Please note that if you are using the system resolver, bypass attempts might be additionally blocked there too.`,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
-		ReleaseLevel:   config.ReleaseLevelBeta,
+		ReleaseLevel:   config.ReleaseLevelStable,
 		DefaultValue:   status.SecurityLevelsAll,
 		PossibleValues: status.SecurityLevelValues,
 		Annotations: config.Annotations{
diff --git a/updates/config.go b/updates/config.go
index 2907b89c..f4aec988 100644
--- a/updates/config.go
+++ b/updates/config.go
@@ -59,12 +59,6 @@ func registerConfig() error {
 				Description: "Dangerous development releases for testing random things and experimenting. Only use temporarily and when instructed.",
 				Value:       helper.ReleaseChannelStaging,
 			},
-			// TODO: Remove as soon as everyone has switched away.
-			{
-				Name:        "Special (Deprecated!)",
-				Description: "This channel has been deprecated. If selected, the Stable channel will be used instead.",
-				Value:       "special",
-			},
 		},
 		Annotations: config.Annotations{
 			config.DisplayOrderAnnotation: -4,