diff --git a/plugin/pkg/tls/tls.go b/plugin/pkg/tls/tls.go
index 8d36d6823..cba25503e 100644
--- a/plugin/pkg/tls/tls.go
+++ b/plugin/pkg/tls/tls.go
@@ -11,6 +11,22 @@ import (
 	"time"
 )
 
+func setTLSDefaults(ctls *tls.Config) {
+	ctls.MinVersion = tls.VersionTLS12
+	ctls.MaxVersion = tls.VersionTLS13
+	ctls.CipherSuites = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+}
+
 // NewTLSConfigFromArgs returns a TLS config based upon the passed
 // in list of arguments. Typically these come straight from the
 // Corefile.
@@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
 		return nil, err
 	}
 
-	return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil
+	tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}
+	setTLSDefaults(tlsConfig)
+
+	return tlsConfig, nil
 }
 
 // NewTLSClientConfig returns a TLS config for a client connection
@@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
 		return nil, err
 	}
 
-	return &tls.Config{RootCAs: roots}, nil
+	tlsConfig := &tls.Config{RootCAs: roots}
+	setTLSDefaults(tlsConfig)
+
+	return tlsConfig, nil
 }
 
 func loadRoots(caPath string) (*x509.CertPool, error) {
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go
index 930c5e702..2658159a9 100644
--- a/plugin/tls/tls.go
+++ b/plugin/tls/tls.go
@@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error {
 	return nil
 }
 
-func setTLSDefaults(tls *ctls.Config) {
-	tls.MinVersion = ctls.VersionTLS12
-	tls.MaxVersion = ctls.VersionTLS13
-	tls.CipherSuites = []uint16{
-		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	}
-}
-
 func parseTLS(c *caddy.Controller) error {
 	config := dnsserver.GetConfig(c)
 
@@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error {
 		// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
 		tls.ClientCAs = tls.RootCAs
 
-		setTLSDefaults(tls)
-
 		config.TLSConfig = tls
 	}
 	return nil