diff --git a/bin/named/server.c b/bin/named/server.c
index 02e09b13f6..83ac8eed7a 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -11090,6 +11090,9 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 
 			tlsmap = find_maplist(config, "tls", tlsname);
 			if (tlsmap == NULL) {
+				cfg_obj_log(tlsobj, named_g_lctx, ISC_LOG_ERROR,
+					    "tls '%s' is not defined",
+					    cfg_obj_asstring(tlsobj));
 				return (ISC_R_FAILURE);
 			}
 
@@ -11110,7 +11113,11 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 		}
 
 		http_server = find_maplist(config, "http", httpname);
-		if (http_server == NULL) {
+		if (http_server == NULL && strcasecmp(httpname, "default") != 0)
+		{
+			cfg_obj_log(httpobj, named_g_lctx, ISC_LOG_ERROR,
+				    "http '%s' is not defined",
+				    cfg_obj_asstring(httpobj));
 			return (ISC_R_FAILURE);
 		}
 
@@ -11178,7 +11185,6 @@ listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 	}
 
 	if (http) {
-		INSIST(http_server != NULL);
 		CHECK(listenelt_http(http_server, do_tls, key, cert, port, mctx,
 				     &delt));
 	} else {
@@ -11208,7 +11214,7 @@ listenelt_http(const cfg_obj_t *http, bool tls, const char *key,
 	char **endpoints = NULL;
 	const cfg_obj_t *eplist = NULL;
 	const cfg_listelt_t *elt = NULL;
-	size_t len, i = 0;
+	size_t len = 1, i = 0;
 
 	REQUIRE(target != NULL && *target == NULL);
 	REQUIRE((key == NULL) == (cert == NULL));
@@ -11217,15 +11223,26 @@ listenelt_http(const cfg_obj_t *http, bool tls, const char *key,
 		port = tls ? named_g_httpsport : named_g_httpport;
 	}
 
-	CHECK(cfg_map_get(http, "endpoints", &eplist));
-	len = cfg_list_length(eplist, false);
+	/*
+	 * If "default" was used, we set up the default endpoint
+	 * of "/dns-query".
+	 */
+	if (http != NULL) {
+		CHECK(cfg_map_get(http, "endpoints", &eplist));
+		len = cfg_list_length(eplist, false);
+	}
+
 	endpoints = isc_mem_allocate(mctx, sizeof(endpoints[0]) * len);
 
-	for (elt = cfg_list_first(eplist); elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *ep = cfg_listelt_value(elt);
-		const char *path = cfg_obj_asstring(ep);
-		endpoints[i++] = isc_mem_strdup(mctx, path);
+	if (http != NULL) {
+		for (elt = cfg_list_first(eplist); elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			const cfg_obj_t *ep = cfg_listelt_value(elt);
+			const char *path = cfg_obj_asstring(ep);
+			endpoints[i++] = isc_mem_strdup(mctx, path);
+		}
+	} else {
+		endpoints[i++] = isc_mem_strdup(mctx, "/dns-query");
 	}
 
 	INSIST(i == len);
diff --git a/bin/tests/system/checkconf/good-doh-3.conf b/bin/tests/system/checkconf/good-doh-3.conf
new file mode 100644
index 0000000000..c570e6c447
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-3.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	listen-on port 8080 tls none http default { 10.53.0.1; };
+};
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0788229ba1..641a0054fc 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2468,17 +2468,24 @@ DNS queries on port 53 of all IPv6 interfaces.
 
 If a TLS configuration is specified, ``named`` will listen for DNS-over-TLS
 (DoT) connections, using the key and certificate specified in the
-referenced ``tls`` statement.
+referenced ``tls`` statement. If the name ``ephemeral`` is used,
+an ephemeral key and certificate created for the currently running
+``named`` process will be used.
 
 If an HTTP configuration is specified, ``named`` will listen for
 DNS-over-HTTPS (DoH) connections using the HTTP endpoint specified in the
-referenced ``http`` statement. ``http`` and ``tls`` configurations must be
-used together. If an unencrypted connection is desired (for example, when
-load-sharing servers behind a reverse proxy), ``tls none`` may be
-used.
+referenced ``http`` statement.  If the name ``default`` is used, then
+``named`` will listen for connections at the default endpoint,
+``/dns-query``.
+
+Use of an ``http`` specification requires ``tls`` to be specified
+as well.  If an unencrypted connection is desired (for example,
+on load-sharing servers behind a reverse proxy), ``tls none`` may be used.
 
 If a port number is not specified, the default is 53 for standard DNS, 853
-for DNS-over-TLS, and 443 for DNS-over-HTTPS.
+for DNS over TLS, 443 for DNS over HTTPS, and 80 for DNS over unenecrypted
+HTTP.  These defaults may be overridden using the ``port``, ``tls-port``,
+``https-port`` and ``http-port`` options.
 
 Multiple ``listen-on`` statements are allowed. For example:
 
@@ -2493,11 +2500,10 @@ The first two lines instruct the name server to listen for standard DNS
 queries on port 53 of the IP address 5.6.7.8 and on port 1234 of an address
 on the machine in net 1.2 that is not 1.2.3.4. The third line instructs the
 server to listen for DNS-over-TLS connections on port 8853 of the IP
-address 4.3.2.1 using an ephemeral TLS key and certificate created for the
-currently running ``named`` process. The fourth line enables DNS-over-HTTPS
-connections on port 8453 of address 8.7.6.5, using the same ephemeral
-key and certificate, and the HTTP endpoint or endpoints configured in
-an ``http`` statement with the name ``myserver``.
+address 4.3.2.1 using the ephemeral key and certifcate.  The fourth line
+enables DNS-over-HTTPS connections on port 8453 of address 8.7.6.5, using
+the ephemeral key and certificate, and the HTTP endpoint or endpoints
+configured in an ``http`` statement with the name ``myserver``.
 
 Multiple ``listen-on-v6`` options can be used. For example:
 
@@ -2506,7 +2512,7 @@ Multiple ``listen-on-v6`` options can be used. For example:
    listen-on-v6 { any; };
    listen-on-v6 port 1234 { !2001:db8::/32; any; };
    listen-on port 8853 tls example-tls { 2001:db8::100; };
-   listen-on port 8453 tls example-tls http myserver { 2001:db8::100; };
+   listen-on port 8453 tls example-tls http default { 2001:db8::100; };
    listen-on port 8000 tls none http myserver { 2001:db8::100; };
 
 The first two lines instruct the name server to listen for standard DNS
@@ -2516,9 +2522,10 @@ instructs the server to listen for for DNS-over-TLS connections on port
 8853 of the address 2001:db8::100, using a TLS key and certificate specified
 in the a ``tls`` statement with the name ``example-tls``. The fourth
 instructs the server to listen for DNS-over-HTTPS connections, again using
-``example-tls``, on the HTTP endpoint specified in ``http myserver``. The
-fifth line, in which the ``tls`` parameter is set to ``none``, instructs
-the server to listen for *unencrypted* DNS queries over HTTP.
+``example-tls``, on the default HTTP endpoint. The fifth line, in which
+the ``tls`` parameter is set to ``none``, instructs the server to listen
+for *unencrypted* DNS queries over HTTP at the endpoint specified in
+``myserver``..
 
 To instruct the server not to listen on any IPv6 addresses, use:
 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index d514936be0..9555ba37f9 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -972,7 +972,8 @@ check_listener(const cfg_obj_t *listener, const cfg_obj_t *config,
 		}
 
 		http_server = find_maplist(config, "http", httpname);
-		if (http_server == NULL) {
+		if (http_server == NULL && strcasecmp(httpname, "default") != 0)
+		{
 			cfg_obj_log(httpobj, logctx, ISC_LOG_ERROR,
 				    "http '%s' is not defined",
 				    cfg_obj_asstring(httpobj));