diff --git a/README.md b/README.md
index 96305aa39..2a5d57c48 100644
--- a/README.md
+++ b/README.md
@@ -201,8 +201,15 @@ https://example.org {
     tls mycert mykey
 }
 ~~~
+in this setup, the CoreDNS will be responsible for TLS termination
 
-Note that you must have the *tls* plugin configured as DoH requires that to be setup.
+you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind
+of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server
+~~~ corefile
+https://example.org {
+    whoami
+}
+~~~
 
 Specifying ports works in the same way:
 
diff --git a/core/dnsserver/server_https.go b/core/dnsserver/server_https.go
index 5962a5f09..b8bdbc66d 100644
--- a/core/dnsserver/server_https.go
+++ b/core/dnsserver/server_https.go
@@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
 		// Should we error if some configs *don't* have TLS?
 		tlsConfig = conf.TLSConfig
 	}
-	if tlsConfig == nil {
-		return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin")
-	}
+
 	// http/2 is recommended when using DoH. We need to specify it in next protos
 	// or the upgrade won't happen.
-	tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	if tlsConfig != nil {
+		tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	}
 
 	// Use a custom request validation func or use the standard DoH path check.
 	var validator func(*http.Request) bool
diff --git a/plugin/tls/README.md b/plugin/tls/README.md
index da33c0951..9d945b83e 100644
--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -2,7 +2,7 @@
 
 ## Name
 
-*tls* - allows you to configure the server certificates for the TLS and gRPC servers.
+*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.
 
 ## Description
 
@@ -57,6 +57,14 @@ grpc://. {
 }
 ~~~
 
+Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
+~~~
+https://. {
+	tls cert.pem key.pem ca.pem
+	forward . /etc/resolv.conf
+}
+~~~
+
 Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
 debugging these transports harder than it should be.