diff --git a/CONFIGURATION_GRAMMAR.md b/CONFIGURATION_GRAMMAR.md
index 2c8442a..fdde2df 100644
--- a/CONFIGURATION_GRAMMAR.md
+++ b/CONFIGURATION_GRAMMAR.md
@@ -458,6 +458,7 @@ options:
     - <address>
     - address: <address>
       port: <port>
+      tls: <tls_name>
   
   # DNSSEC
   dnssec_enable: <bool>                 # DEPRECATED in 9.15+
@@ -593,7 +594,8 @@ options:
     
     forwarders:
       - 1.1.1.1
-      - 8.8.8.8
+      - address: 8.8.8.8
+        tls: dot-tls
     
     dnssec_validation: auto
     
@@ -917,6 +919,7 @@ zones:
       - <address>
       - address: <address>
         port: <port>
+        tls: <tls_name>
     
     # DNSSEC
     dnssec_policy: <policy_name>  # DNSSEC policy to use
@@ -1017,7 +1020,8 @@ zones:
       forward: only
       forwarders:
         - 10.0.0.1
-        - 10.0.0.2
+        - address: 10.0.0.2
+          tls: internal-tls
 ```
 
 ---
@@ -1079,9 +1083,9 @@ addresses:
   - 10.0.0.0/8
 ```
 
-### Address with Port/DSCP
+### Address with Port/TLS
 
-For options accepting `address [port X] [dscp Y]`:
+For options accepting `address [port X] [tls Y]` (e.g., `forwarders`):
 
 ```yaml
 # Simple list
@@ -1089,27 +1093,28 @@ forwarders:
   - 1.1.1.1
   - 8.8.8.8
 
-# With source port/dscp
+# With global port/tls
 forwarders:
-  port: 5353
-  dscp: 46
+  port: 853
+  tls: dot-tls
   addresses:
     - 1.1.1.1
     - 8.8.8.8
 
-# Per-address port/dscp
+# Per-address port/tls
 forwarders:
   - address: 1.1.1.1
     port: 53
   - address: 8.8.8.8
-    port: 5353
-    dscp: 46
+    port: 853
+    tls: cloudflare-tls
 
 # Mixed format
 forwarders:
   - 1.1.1.1
   - address: 8.8.8.8
-    port: 5353
+    port: 853
+    tls: dot-tls
 ```
 
 ### Address with Key/TLS