diff --git a/AGHTechDoc.md b/AGHTechDoc.md
index 0aade0a7..ea2ed95a 100644
--- a/AGHTechDoc.md
+++ b/AGHTechDoc.md
@@ -822,6 +822,7 @@ Response:
 		"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
+		"edns_cs_enabled": true | false,
 	}
 
 
@@ -837,6 +838,7 @@ Request:
 		"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
+		"edns_cs_enabled": true | false,
 	}
 
 Response:
diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go
index 2630770e..afd0149e 100644
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -112,6 +112,8 @@ type FilteringConfig struct {
 	BootstrapDNS       []string `yaml:"bootstrap_dns"`        // a list of bootstrap DNS for DoH and DoT (plain DNS only)
 	AllServers         bool     `yaml:"all_servers"`          // if true, parallel queries to all configured upstream servers are enabled
 
+	EnableEDNSClientSubnet bool `yaml:"edns_client_subnet"` // Enable EDNS Client Subnet option
+
 	AllowedClients    []string `yaml:"allowed_clients"`    // IP addresses of whitelist clients
 	DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
 	BlockedHosts      []string `yaml:"blocked_hosts"`      // hosts that should be blocked
@@ -229,6 +231,7 @@ func (s *Server) prepare(config *ServerConfig) error {
 		BeforeRequestHandler:     s.beforeRequestHandler,
 		RequestHandler:           s.handleDNSRequest,
 		AllServers:               s.conf.AllServers,
+		EnableEDNSClientSubnet:   s.conf.EnableEDNSClientSubnet,
 	}
 
 	s.access = &accessCtx{}
diff --git a/dnsforward/dnsforward_http.go b/dnsforward/dnsforward_http.go
index 680f5c2b..e0ddd36b 100644
--- a/dnsforward/dnsforward_http.go
+++ b/dnsforward/dnsforward_http.go
@@ -27,6 +27,7 @@ type dnsConfigJSON struct {
 	BlockingMode      string `json:"blocking_mode"`
 	BlockingIPv4      string `json:"blocking_ipv4"`
 	BlockingIPv6      string `json:"blocking_ipv6"`
+	EDNSCSEnabled     bool   `json:"edns_cs_enabled"`
 }
 
 func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
@@ -37,6 +38,7 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
 	resp.BlockingIPv4 = s.conf.BlockingIPv4
 	resp.BlockingIPv6 = s.conf.BlockingIPv6
 	resp.RateLimit = s.conf.Ratelimit
+	resp.EDNSCSEnabled = s.conf.EnableEDNSClientSubnet
 	s.RUnlock()
 
 	js, err := json.Marshal(resp)
@@ -110,6 +112,11 @@ func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 		s.conf.Ratelimit = req.RateLimit
 	}
 
+	if js.Exists("edns_cs_enabled") {
+		s.conf.EnableEDNSClientSubnet = req.EDNSCSEnabled
+		restart = true
+	}
+
 	s.Unlock()
 	s.conf.ConfigModified()
 
diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
index 410e668d..2400b9b7 100644
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -1082,6 +1082,8 @@ definitions:
                 type: "string"
             blocking_ipv6:
                 type: "string"
+            edns_cs_enabled:
+                type: "boolean"
 
     UpstreamsConfig:
         type: "object"