diff --git a/modules/adguard.nix b/modules/adguard.nix
index a7efca4..e77f8f5 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -101,7 +101,7 @@ in
           private_key_path = "/var/lib/acme/${cfg.domain}/key.pem";
           port_dns_over_tls = 853;
           port_dns_over_quic = 0;
-          allow_unencrypted_doh = true;
+          allow_unencrypted_doh = false;
         };
 
         filtering = {
@@ -156,32 +156,12 @@ in
       }) cfg.clients
     );
 
-    # Nginx configuration for DoH endpoint
+    # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
     services.nginx.virtualHosts."${cfg.domain}" = {
       enableACME = true;
       forceSSL = true;
 
-      # Regex location to match /dns-query and /dns-query/{clientId}
-      locations."~ ^/dns-query" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = ''
-          proxy_http_version 1.1;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-
-          # DoH uses POST with application/dns-message
-          proxy_pass_request_body on;
-          proxy_set_header Content-Type "application/dns-message";
-
-          # Buffer settings for DNS queries
-          proxy_buffers 8 16k;
-          proxy_buffer_size 32k;
-        '';
-      };
-
-      # Block all other paths including admin UI
+      # Block all paths (no DoH or UI exposed via Nginx)
       locations."/" = {
         return = "404";
       };