diff --git a/plugin/forward/connect.go b/plugin/forward/connect.go
index 1e5b5b708..e4bf64f2b 100644
--- a/plugin/forward/connect.go
+++ b/plugin/forward/connect.go
@@ -58,7 +58,7 @@ func (p *Proxy) Connect(ctx context.Context, state request.Request, forceTCP, me
 	if err := conn.WriteMsg(state.Req); err != nil {
 		conn.Close() // not giving it back
 		if err == io.EOF && cached {
-			return nil, errCachedClosed
+			return nil, ErrCachedClosed
 		}
 		return nil, err
 	}
@@ -69,7 +69,7 @@ func (p *Proxy) Connect(ctx context.Context, state request.Request, forceTCP, me
 		p.updateRtt(timeout)
 		conn.Close() // not giving it back
 		if err == io.EOF && cached {
-			return nil, errCachedClosed
+			return nil, ErrCachedClosed
 		}
 		return ret, err
 	}
diff --git a/plugin/forward/forward.go b/plugin/forward/forward.go
index f20bdd06b..ce81392f5 100644
--- a/plugin/forward/forward.go
+++ b/plugin/forward/forward.go
@@ -104,7 +104,7 @@ func (f *Forward) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg
 		)
 		for {
 			ret, err = proxy.Connect(ctx, state, f.forceTCP, true)
-			if err != nil && err == errCachedClosed { // Remote side closed conn, can only happen with TCP.
+			if err != nil && err == ErrCachedClosed { // Remote side closed conn, can only happen with TCP.
 				continue
 			}
 			break
@@ -150,7 +150,7 @@ func (f *Forward) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg
 		return dns.RcodeServerFailure, upstreamErr
 	}
 
-	return dns.RcodeServerFailure, errNoHealthy
+	return dns.RcodeServerFailure, ErrNoHealthy
 }
 
 func (f *Forward) match(state request.Request) bool {
@@ -186,10 +186,12 @@ func (f *Forward) ForceTCP() bool { return f.forceTCP }
 func (f *Forward) List() []*Proxy { return f.p.List(f.proxies) }
 
 var (
-	errInvalidDomain = errors.New("invalid domain for forward")
-	errNoHealthy     = errors.New("no healthy proxies")
-	errNoForward     = errors.New("no forwarder defined")
-	errCachedClosed  = errors.New("cached connection was closed by peer")
+	// ErrNoHealthy means no healthy proxies left
+	ErrNoHealthy = errors.New("no healthy proxies")
+	// ErrNoForward means no forwarder defined
+	ErrNoForward = errors.New("no forwarder defined")
+	// ErrCachedClosed means cached connection was closed by peer
+	ErrCachedClosed = errors.New("cached connection was closed by peer")
 )
 
 // policy tells forward what policy for selecting upstream it uses.
diff --git a/plugin/forward/lookup.go b/plugin/forward/lookup.go
index 02dbf5e67..65ee593f0 100644
--- a/plugin/forward/lookup.go
+++ b/plugin/forward/lookup.go
@@ -16,7 +16,7 @@ import (
 // Forward may be called with a nil f, an error is returned in that case.
 func (f *Forward) Forward(state request.Request) (*dns.Msg, error) {
 	if f == nil {
-		return nil, errNoForward
+		return nil, ErrNoForward
 	}
 
 	fails := 0
@@ -56,7 +56,7 @@ func (f *Forward) Forward(state request.Request) (*dns.Msg, error) {
 		return nil, upstreamErr
 	}
 
-	return nil, errNoHealthy
+	return nil, ErrNoHealthy
 }
 
 // Lookup will use name and type to forge a new message and will send that upstream. It will
@@ -64,7 +64,7 @@ func (f *Forward) Forward(state request.Request) (*dns.Msg, error) {
 // Lookup may be called with a nil f, an error is returned in that case.
 func (f *Forward) Lookup(state request.Request, name string, typ uint16) (*dns.Msg, error) {
 	if f == nil {
-		return nil, errNoForward
+		return nil, ErrNoForward
 	}
 
 	req := new(dns.Msg)
diff --git a/plugin/forward/proxy.go b/plugin/forward/proxy.go
index 0e0264b6b..588b21510 100644
--- a/plugin/forward/proxy.go
+++ b/plugin/forward/proxy.go
@@ -63,6 +63,9 @@ func (p *Proxy) SetTLSConfig(cfg *tls.Config) {
 	p.client = dnsClient(cfg)
 }
 
+// IsTLS returns true if proxy uses tls.
+func (p *Proxy) IsTLS() bool { return p.transport.tlsConfig != nil }
+
 // SetExpire sets the expire duration in the lower p.transport.
 func (p *Proxy) SetExpire(expire time.Duration) { p.transport.SetExpire(expire) }