diff -ru dnsdist-1.9.11.orig/dnsdist-nghttp2-in.cc dnsdist-1.9.11/dnsdist-nghttp2-in.cc
--- dnsdist-1.9.11.orig/dnsdist-nghttp2-in.cc	2025-09-18 09:10:23.000000000 +0200
+++ dnsdist-1.9.11/dnsdist-nghttp2-in.cc	2026-02-23 14:43:18.952713698 +0100
@@ -870,6 +870,16 @@
       query.d_headers.reset();
     }
   }
+  else if (!d_ci.cs->dohFrontend->d_earlyACLDrop) {
+    auto& holders = d_threadData.holders;
+    /* ONLY ACL lookup because the early check was skipped  */
+    if (!holders.acl->match(d_proxiedRemote)) {
+      ++dnsdist::metrics::g_stats.aclDrops;
+      vinfolog("Query from %s (%s) (DoH) dropped because of ACL", d_ci.remote.toStringWithPort(), d_proxiedRemote.toStringWithPort());
+      handleImmediateResponse(403, "DoH query not allowed because of ACL");
+      return;
+    }
+  }
 
   if (d_ci.cs->dohFrontend->d_exactPathMatching) {
     if (d_ci.cs->dohFrontend->d_urls.count(query.d_path) == 0) {