diff -ru dnsdist-2.0.2.orig/dnsdist-nghttp2-in.cc dnsdist-2.0.2/dnsdist-nghttp2-in.cc
--- dnsdist-2.0.2.orig/dnsdist-nghttp2-in.cc	2025-11-27 14:25:28.000000000 +0100
+++ dnsdist-2.0.2/dnsdist-nghttp2-in.cc	2026-02-23 15:04:48.117325661 +0100
@@ -888,6 +888,15 @@
       query.d_headers.reset();
     }
   }
+  else if (!d_ci.cs->dohFrontend->d_earlyACLDrop) {
+    /* ONLY ACL lookup because the early check was skipped  */
+    if (!dnsdist::configuration::getCurrentRuntimeConfiguration().d_ACL.match(d_proxiedRemote)) {
+      ++dnsdist::metrics::g_stats.aclDrops;
+      vinfolog("Query from %s (%s) (DoH) dropped because of ACL", d_ci.remote.toStringWithPort(), d_proxiedRemote.toStringWithPort());
+      handleImmediateResponse(403, "DoH query not allowed because of ACL");
+      return;
+    }
+  }
 
   if (d_ci.cs->dohFrontend->d_exactPathMatching) {
     if (d_ci.cs->dohFrontend->d_urls.count(query.d_path) == 0) {