diff --git a/Dockerfile b/Dockerfile
index e2cf7a5..8b274f7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s"
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain stable && \
     export PATH="$HOME/.cargo/bin:$PATH" && \
-    echo "Compiling encrypted-dns version 0.3.14" && \
+    echo "Compiling encrypted-dns version 0.3.17" && \
     cargo install encrypted-dns && \
     mkdir -p /opt/encrypted-dns/sbin && \
     mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \
diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in
index 7b83338..acb877d 100644
--- a/encrypted-dns.toml.in
+++ b/encrypted-dns.toml.in
@@ -114,6 +114,11 @@ group = "_encrypted-dns"
 # chroot = "/var/empty"
 
 
+## Queries sent to that name will return the client IP address.
+## This can be very useful for debugging, or to check that relaying works.
+
+my_ip = "my.ip"
+
 
 ####################################
 #         DNSCrypt settings        #
@@ -223,3 +228,23 @@ allow_non_reserved_ports = false
 # Blacklisted upstream IP addresses
 
 blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
+
+
+
+
+################################
+#        Access control        #
+################################
+
+[access_control]
+
+# Enable access control
+
+enabled = false
+
+# Only allow access to client queries including one of these random tokens
+# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
+# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
+# Example: `query_meta = ["token:Y2oHkDJNHz"]`
+
+tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]