3 files changed, 21 insertions, 6 deletions
diff --git a/README.md b/README.md
index 96305aa39..2a5d57c48 100644
--- a/README.md
+++ b/README.md
@@ -201,8 +201,15 @@ https://example.org {
     tls mycert mykey
 }
 ~~~
+in this setup, the CoreDNS will be responsible for TLS termination
 
-Note that you must have the *tls* plugin configured as DoH requires that to be setup.
+you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind
+of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server
+~~~ corefile
+https://example.org {
+    whoami
+}
+~~~
 
 Specifying ports works in the same way:
 
diff --git a/core/dnsserver/server_https.go b/core/dnsserver/server_https.go
index 5962a5f09..b8bdbc66d 100644
--- a/core/dnsserver/server_https.go
+++ b/core/dnsserver/server_https.go
@@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
 		// Should we error if some configs *don't* have TLS?
 		tlsConfig = conf.TLSConfig
 	}
-	if tlsConfig == nil {
-		return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin")
-	}
+
 	// http/2 is recommended when using DoH. We need to specify it in next protos
 	// or the upgrade won't happen.
-	tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	if tlsConfig != nil {
+		tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	}
 
 	// Use a custom request validation func or use the standard DoH path check.
 	var validator func(*http.Request) bool
diff --git a/plugin/tls/README.md b/plugin/tls/README.md
index da33c0951..9d945b83e 100644
--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -2,7 +2,7 @@
 
 ## Name
 
-*tls* - allows you to configure the server certificates for the TLS and gRPC servers.
+*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.
 
 ## Description
 
@@ -57,6 +57,14 @@ grpc://. {
 }
 ~~~
 
+Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
+~~~
+https://. {
+	tls cert.pem key.pem ca.pem
+	forward . /etc/resolv.conf
+}
+~~~
+
 Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
 debugging these transports harder than it should be.
Age	Commit message (Expand)	Author	Files	Lines
2023-11-01	[ci] release (#8975)astro@3.4.2 @astrojs/underscore-redirects@0.3.2	Houston (Bot)	36	-76/+72
2023-11-01	[ci] format	matthewp	1	-12/+13
2023-11-01	feat(dev-overlay): Add a tooltip on plugin hover / focus (#8978)	Erika	3	-3/+46
2023-11-01	Prevent the route announcer from being visible (#8977)	Matthew Phillips	6	-18/+64
2023-11-01	feat: new event to toggle a plugin from itself (#8968)	Erika	2	-4/+13
2023-11-01	Fix ViewTransitions example (#8976)	Matthew Phillips	1	-3/+1
2023-11-01	feat(underscore-redirects): add `base` to input paths (#8953)	Alexander Niebuhr	2	-6/+17
2023-11-01	[ci] format	lilnasy	2	-3/+3
2023-11-01	fix(slots): consume eagerly rendered slot after one use (#8929)	Arsh	6	-2/+59
2023-11-01	[ci] release (#8934)create-astro@4.5.0 astro@3.4.1 @astrojs/vue@3.0.3 @astrojs/sitemap@3.0.3 @astrojs/partytown@2.0.2 @astrojs/markdoc@0.7.1	Houston (Bot)	50	-122/+120
2023-11-01	Undo the halloween theme (#8959)	Elian ☕️	3	-26/+24
2023-10-31	refactor: dev overlay to make it easier to work with VT (#8966)	Erika	10	-293/+386
2023-10-31	[ci] format	matthewp	1	-9/+9
2023-10-31	Move VT route announcer styles to a class (#8965)	Matthew Phillips	3	-4/+21
2023-10-31	Three small improvements for handling client-only in view transitions (#8964)	Martin Trapp	1	-2/+10
2023-10-30	chore(deps): Upgrade Zod to @latest (#8762)	Eva Decker	6	-11/+26