diff --git a/internal/dnsforward/msg.go b/internal/dnsforward/msg.go
index 10dceb11505..b28c523be4f 100644
--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -48,7 +48,7 @@ func (s *Server) genDNSFilterMessage(
 ) (resp *dns.Msg) {
 	req := dctx.Req
 	qt := req.Question[0].Qtype
-	if qt != dns.TypeA && qt != dns.TypeAAAA {
+	if qt != dns.TypeA && qt != dns.TypeAAAA && qt != dns.TypeHTTPS {
 		m, _, _ := s.dnsFilter.BlockingMode()
 		if m == filtering.BlockingModeNullIP {
 			return s.makeResponse(req)
diff --git a/internal/filtering/safesearch/safesearch.go b/internal/filtering/safesearch/safesearch.go
index d1ec36f86cb..d0d02aa9b68 100644
--- a/internal/filtering/safesearch/safesearch.go
+++ b/internal/filtering/safesearch/safesearch.go
@@ -226,8 +226,8 @@ func (ss *Default) searchHost(host string, qtype rules.RRType) (res *rules.DNSRe
 }
 
 // newResult creates Result object from rewrite rule.  qtype must be either
-// [dns.TypeA] or [dns.TypeAAAA].  If err is nil, res is never nil, so that the
-// empty result is converted into a NODATA response.
+// [dns.TypeA] or [dns.TypeAAAA], or [dns.TypeHTTPS].  If err is nil, res is
+// never nil, so that the empty result is converted into a NODATA response.
 //
 // TODO(a.garipov): Use the main rewrite result mechanism used in
 // [dnsforward.Server.filterDNSRequest].  Now we resolve IPs for CNAME to save
@@ -261,6 +261,9 @@ func (ss *Default) newResult(
 	}
 
 	res.CanonName = host
+	if qtype == dns.TypeHTTPS {
+		return res, nil
+	}
 
 	ss.log(log.DEBUG, "resolving %q", host)