diff --git a/go.mod b/go.mod
index fb0f2b5c..829a5a05 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.22.2
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.67.1-0.20240403090357-a2c0e321a217
+	github.com/AdguardTeam/dnsproxy v0.68.1-0.20240405142149-5ce78d69942a
 	github.com/AdguardTeam/golibs v0.23.0
 	github.com/AdguardTeam/urlfilter v0.18.0
 	github.com/NYTimes/gziphandler v1.1.1
diff --git a/go.sum b/go.sum
index d04944c3..03043bf5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/AdguardTeam/dnsproxy v0.67.1-0.20240403090357-a2c0e321a217 h1:ryczFRf8y6PEzCjgy/S3Ptg4Ea1TUYFyiEZnoEyEV7s=
-github.com/AdguardTeam/dnsproxy v0.67.1-0.20240403090357-a2c0e321a217/go.mod h1:5wIQueGTDX1Uk4GYevRh7HCtsCUR/U9lxf478+STOZI=
+github.com/AdguardTeam/dnsproxy v0.68.1-0.20240405142149-5ce78d69942a h1:RI+MYfXbXLsZaMfJ2rpOR17+VQNZwHMR0CIOczAqbNM=
+github.com/AdguardTeam/dnsproxy v0.68.1-0.20240405142149-5ce78d69942a/go.mod h1:GW5AIEYFntDwXdESWyNH4DDgdE8O6V4o3Xe/doqZOwM=
 github.com/AdguardTeam/golibs v0.23.0 h1:PHz/QhJhLmoaOokkqrPFUgu9Hw4iVAqLtBP0O3g1D3Q=
 github.com/AdguardTeam/golibs v0.23.0/go.mod h1:/xZCf6gZZzz7k1qaoJmI+hhxN98kHFr7LJ22j1nLH0c=
 github.com/AdguardTeam/urlfilter v0.18.0 h1:ZZzwODC/ADpjJSODxySrrUnt/fvOCfGFaCW6j+wsGfQ=
diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go
index ebf4c026..79347431 100644
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -327,7 +327,7 @@ func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 		CacheOptimistic:           srvConf.CacheOptimistic,
 		UpstreamConfig:            srvConf.UpstreamConfig,
 		PrivateRDNSUpstreamConfig: srvConf.PrivateRDNSUpstreamConfig,
-		BeforeRequestHandler:      s.beforeRequestHandler,
+		BeforeRequestHandler:      s,
 		RequestHandler:            s.handleDNSRequest,
 		HTTPSServerName:           aghhttp.UserAgent(),
 		EnableEDNSClientSubnet:    srvConf.EDNSClientSubnet.Enabled,
diff --git a/internal/dnsforward/filter.go b/internal/dnsforward/filter.go
index 46599c11..fd1225ab 100644
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -15,16 +15,22 @@ import (
 	"github.com/miekg/dns"
 )
 
-// beforeRequestHandler is the handler that is called before any other
-// processing, including logs.  It performs access checks and puts the client
-// ID, if there is one, into the server's cache.
-func (s *Server) beforeRequestHandler(
+// type check
+var _ proxy.BeforeRequestHandler = (*Server)(nil)
+
+// HandleBefore is the handler that is called before any other processing,
+// including logs.  It performs access checks and puts the client ID, if there
+// is one, into the server's cache.
+func (s *Server) HandleBefore(
 	_ *proxy.Proxy,
 	pctx *proxy.DNSContext,
-) (reply bool, err error) {
+) (err error) {
 	clientID, err := s.clientIDFromDNSContext(pctx)
 	if err != nil {
-		return false, fmt.Errorf("getting clientid: %w", err)
+		return &proxy.BeforeRequestError{
+			Err:      fmt.Errorf("getting clientid: %w", err),
+			Response: s.NewMsgSERVFAIL(pctx.Req),
+		}
 	}
 
 	blocked, _ := s.IsBlockedClient(pctx.Addr.Addr(), clientID)
@@ -49,7 +55,7 @@ func (s *Server) beforeRequestHandler(
 		s.clientIDCache.Set(key[:], []byte(clientID))
 	}
 
-	return true, nil
+	return nil
 }
 
 // clientRequestFilteringSettings looks up client filtering settings using the
diff --git a/internal/dnsforward/msg.go b/internal/dnsforward/msg.go
index e5f047fe..af736362 100644
--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
@@ -339,18 +340,23 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
 	return resp
 }
 
+// errAccessBlocked is a sentinel error returned when a request is blocked by
+// access settings.
+var errAccessBlocked errors.Error = "blocked by access settings"
+
 // preBlockedResponse returns a protocol-appropriate response for a request that
 // was blocked by access settings.
-func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) {
+func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (err error) {
 	if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
 		// Return nil so that dnsproxy drops the connection and thus
 		// prevent DNS amplification attacks.
-		return false, nil
+		return errAccessBlocked
 	}
 
-	pctx.Res = s.makeResponseREFUSED(pctx.Req)
-
-	return true, nil
+	return &proxy.BeforeRequestError{
+		Err:      errAccessBlocked,
+		Response: s.makeResponseREFUSED(pctx.Req),
+	}
 }
 
 // Create REFUSED DNS response