diff -ru dnsdist-1.9.12.orig/doh3.cc dnsdist-1.9.12.CVE-2026-33254/doh3.cc
--- dnsdist-1.9.12.orig/doh3.cc	2026-03-13 16:09:16.000000000 +0100
+++ dnsdist-1.9.12.CVE-2026-33254/doh3.cc	2026-04-03 15:33:59.540346337 +0200
@@ -30,13 +30,12 @@
 #include "misc.hh"
 #include "sstuff.hh"
 #include "threadname.hh"
-#include "base64.hh"

+#include "dnsdist-concurrent-connections.hh"
 #include "dnsdist-dnsparser.hh"
 #include "dnsdist-ecs.hh"
 #include "dnsdist-proxy-protocol.hh"
 #include "dnsdist-tcp.hh"
-#include "dnsdist-random.hh"

 #include "doq-common.hh"

@@ -62,7 +61,18 @@
   H3Connection(H3Connection&&) = default;
   H3Connection& operator=(const H3Connection&) = delete;
   H3Connection& operator=(H3Connection&&) = default;
-  ~H3Connection() = default;
+  ~H3Connection()
+  {
+    try {
+      /* do not account if we have been moved! */
+      if (d_conn) {
+        dnsdist::IncomingConcurrentTCPConnectionsManager::accountClosedTCPConnection(d_peer);
+      }
+    }
+    catch (...) {
+      /* in theory it might raise an exception, and we cannot allow it to be uncaught in a dtor */
+    }
+  }

   ComboAddress d_peer;
   ComboAddress d_localAddr;
@@ -942,6 +952,11 @@
         continue;
       }

+      if (!dnsdist::IncomingConcurrentTCPConnectionsManager::accountNewTCPConnection(client)) {
+        DEBUGLOG("Connection not allowed!");
+        continue;
+      }
+
       DEBUGLOG("Creating a new connection");
       conn = createConnection(*frontend.d_server_config, serverConnID, *originalDestinationID, localAddr, client);
       if (!conn) {
diff -ru dnsdist-1.9.12.orig/doq.cc dnsdist-1.9.12.CVE-2026-33254/doq.cc
--- dnsdist-1.9.12.orig/doq.cc	2026-03-13 16:09:16.000000000 +0100
+++ dnsdist-1.9.12.CVE-2026-33254/doq.cc	2026-04-03 15:33:59.540467136 +0200
@@ -31,11 +31,11 @@
 #include "sstuff.hh"
 #include "threadname.hh"

+#include "dnsdist-concurrent-connections.hh"
 #include "dnsdist-dnsparser.hh"
 #include "dnsdist-ecs.hh"
 #include "dnsdist-proxy-protocol.hh"
 #include "dnsdist-tcp.hh"
-#include "dnsdist-random.hh"

 #include "doq-common.hh"

@@ -59,7 +59,18 @@
   Connection(Connection&&) = default;
   Connection& operator=(const Connection&) = delete;
   Connection& operator=(Connection&&) = default;
-  ~Connection() = default;
+  ~Connection()
+  {
+    try {
+      /* do not account if we have been moved! */
+      if (d_conn) {
+        dnsdist::IncomingConcurrentTCPConnectionsManager::accountClosedTCPConnection(d_peer);
+      }
+    }
+    catch (...) {
+      /* in theory it might raise an exception, and we cannot allow it to be uncaught in a dtor */
+    }
+  }

   ComboAddress d_peer;
   ComboAddress d_localAddr;
@@ -746,6 +757,11 @@
         continue;
       }

+      if (!dnsdist::IncomingConcurrentTCPConnectionsManager::accountNewTCPConnection(client)) {
+        DEBUGLOG("Connection not allowed!");
+        continue;
+      }
+
       DEBUGLOG("Creating a new connection");
       conn = createConnection(*frontend.d_server_config, serverConnID, *originalDestinationID, client, localAddr);
       if (!conn) {