diff --git a/CHANGELOG.md b/CHANGELOG.md
index 289b1d2e..3c2fa06c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -127,6 +127,7 @@ In this release, the schema version has changed from 12 to 14.
 
 ### Fixed
 
+- Case-sensitive ClientID ([#4542]).
 - Slow version update queries making other HTTP APIs unresponsible ([#4499]).
 - ARP tables refreshing process causing excessive PTR requests ([#3157]).
 
@@ -148,6 +149,7 @@ In this release, the schema version has changed from 12 to 14.
 [#4276]: https://github.com/AdguardTeam/AdGuardHome/issues/4276
 [#4499]: https://github.com/AdguardTeam/AdGuardHome/issues/4499
 [#4533]: https://github.com/AdguardTeam/AdGuardHome/issues/4533
+[#4542]: https://github.com/AdguardTeam/AdGuardHome/issues/4542
 
 [ddr-draft-06]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
 [doq-draft-10]: https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dnsoquic-10#section-10.2
diff --git a/internal/dnsforward/clientid.go b/internal/dnsforward/clientid.go
index 481fb84d..bb687a41 100644
--- a/internal/dnsforward/clientid.go
+++ b/internal/dnsforward/clientid.go
@@ -65,7 +65,7 @@ func clientIDFromClientServerName(
 		return "", err
 	}
 
-	return clientID, nil
+	return strings.ToLower(clientID), nil
 }
 
 // clientIDFromDNSContextHTTPS extracts the client's ID from the path of the
@@ -104,7 +104,7 @@ func clientIDFromDNSContextHTTPS(pctx *proxy.DNSContext) (clientID string, err e
 		return "", fmt.Errorf("clientid check: %w", err)
 	}
 
-	return clientID, nil
+	return strings.ToLower(clientID), nil
 }
 
 // tlsConn is a narrow interface for *tls.Conn to simplify testing.
diff --git a/internal/dnsforward/clientid_test.go b/internal/dnsforward/clientid_test.go
index e62dbe58..6e23d639 100644
--- a/internal/dnsforward/clientid_test.go
+++ b/internal/dnsforward/clientid_test.go
@@ -143,6 +143,22 @@ func TestServer_clientIDFromDNSContext(t *testing.T) {
 		wantErrMsg: `clientid check: client server name "cli.myexample.com" ` +
 			`doesn't match host server name "example.com"`,
 		strictSNI: true,
+	}, {
+		name:         "tls_case",
+		proto:        proxy.ProtoTLS,
+		hostSrvName:  "example.com",
+		cliSrvName:   "InSeNsItIvE.example.com",
+		wantClientID: "insensitive",
+		wantErrMsg:   ``,
+		strictSNI:    true,
+	}, {
+		name:         "quic_case",
+		proto:        proxy.ProtoQUIC,
+		hostSrvName:  "example.com",
+		cliSrvName:   "InSeNsItIvE.example.com",
+		wantClientID: "insensitive",
+		wantErrMsg:   ``,
+		strictSNI:    true,
 	}}
 
 	for _, tc := range testCases {
@@ -210,6 +226,11 @@ func TestClientIDFromDNSContextHTTPS(t *testing.T) {
 		path:         "/dns-query/cli/",
 		wantClientID: "cli",
 		wantErrMsg:   "",
+	}, {
+		name:         "clientid_case",
+		path:         "/dns-query/InSeNsItIvE",
+		wantClientID: "insensitive",
+		wantErrMsg:   ``,
 	}, {
 		name:         "bad_url",
 		path:         "/foo",
diff --git a/internal/home/clients.go b/internal/home/clients.go
index d4d6b959..4ba6b884 100644
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"sort"
+	"strings"
 	"sync"
 	"time"
 
@@ -546,7 +547,7 @@ func (clients *clientsContainer) check(c *Client) (err error) {
 		} else if mac, err = net.ParseMAC(id); err == nil {
 			c.IDs[i] = mac.String()
 		} else if err = dnsforward.ValidateClientID(id); err == nil {
-			c.IDs[i] = id
+			c.IDs[i] = strings.ToLower(id)
 		} else {
 			return fmt.Errorf("invalid clientid at index %d: %q", i, id)
 		}