diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go
index 319e96e3..f167d4d4 100644
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@@ -218,8 +218,9 @@ type AnonymizedDNSRouteConfig struct {
 }
 
 type AnonymizedDNSConfig struct {
-	Routes           []AnonymizedDNSRouteConfig `toml:"routes"`
-	SkipIncompatible bool                       `toml:"skip_incompatible"`
+	Routes             []AnonymizedDNSRouteConfig `toml:"routes"`
+	SkipIncompatible   bool                       `toml:"skip_incompatible"`
+	DirectCertFallback bool                       `toml:"direct_cert_fallback"`
 }
 
 type BrokenImplementationsConfig struct {
@@ -558,6 +559,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 		proxy.routes = &routes
 	}
 	proxy.skipAnonIncompatbibleResolvers = config.AnonymizedDNS.SkipIncompatible
+	proxy.anonDirectCertFallback = config.AnonymizedDNS.DirectCertFallback
 
 	if config.DoHClientX509AuthLegacy.Creds != nil {
 		dlog.Fatal("[tls_client_auth] has been renamed to [doh_client_x509_auth] - Update your config file.")
diff --git a/dnscrypt-proxy/dnscrypt_certs.go b/dnscrypt-proxy/dnscrypt_certs.go
index ed9aecc4..8aab648c 100644
--- a/dnscrypt-proxy/dnscrypt_certs.go
+++ b/dnscrypt-proxy/dnscrypt_certs.go
@@ -34,8 +34,12 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
 	query := dns.Msg{}
 	query.SetQuestion(providerName, dns.TypeTXT)
 	if !strings.HasPrefix(providerName, "2.dnscrypt-cert.") {
-		dlog.Warnf("[%v] uses a non-standard provider name ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
-		relayUDPAddr, relayTCPAddr = nil, nil
+		if (relayUDPAddr != nil && !proxy.anonDirectCertFallback) {
+			dlog.Warnf("[%v] uses a non-standard provider name, enable direct cert fallback to use with a relay ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
+		} else {
+			dlog.Warnf("[%v] uses a non-standard provider name ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
+			relayUDPAddr, relayTCPAddr = nil, nil
+		}
 	}
 	tryFragmentsSupport := true
 	if knownBugs.fragmentsBlocked {
@@ -256,7 +260,7 @@ func dnsExchange(proxy *Proxy, proto string, query *dns.Msg, serverAddress strin
 			return bestOption.response, bestOption.rtt, bestOption.fragmentsBlocked, nil
 		}
 
-		if relayUDPAddr == nil {
+		if (relayUDPAddr == nil || !proxy.anonDirectCertFallback) {
 			if err == nil {
 				err = errors.New("Unable to reach the server")
 			}
diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml
index c668d2d6..71edeed2 100644
--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@@ -702,7 +702,9 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 
 skip_incompatible = false
 
+# If unable to get the certificate for a server via the relay fallback to getting it directly
 
+# direct_cert_fallback = false
 
 ###############################
 #            DNS64            #
diff --git a/dnscrypt-proxy/proxy.go b/dnscrypt-proxy/proxy.go
index f1d0ab54..9655d9ef 100644
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@@ -83,6 +83,7 @@ type Proxy struct {
 	showCerts                      bool
 	dohCreds                       *map[string]DOHClientCreds
 	skipAnonIncompatbibleResolvers bool
+	anonDirectCertFallback	       bool
 	dns64Prefixes                  []string
 	dns64Resolvers                 []string
 }