Ahh, ok if you want to access services in both directions then it would make sense to give Dial permission to the tunneler that's on the server. I didn't understand that detail and thought we were only talking about connections from one host to another. So the "server" is actually a server and a client. We can do that.
What services are running on the hosts that I've been thinking of as the client so far? Is it also http[s]? If so, we do have a trick called "addressable terminators" that makes this sort of thing easier. Basically it lets you use a single OpenZiti service (with a single intercept.v1 and host.v1 configuration) to connect to different specific identities that are hosting a service based on the name of the identity. So for example you'd name your identities as the hostnames that are in your intercept.v1 addresses and you change the intercept.v1 and host.v1 configurations a little to tell the tunnelers to connect to (or present) a specific identity. It's come up in other threads here - give this thread a skim for an overview: How can I create a service for ssh and add identities with the least amount of policies/configs/etc? - #2 by scareything). We can talk about addressable terminators if it seems like it would be useful to you, but first I'd like to get back to the dns issue that I misunderstood.
So, which operating system and version is the tunneler running on where the DNS lookup is failing? The tunneler tries to set itself up as a DNS server in the host's resolver configuration, so we'll want to look at the resolver setup while the tunneler is running (and the policies are set appropriately)