According to Adguard wiki https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid, the users client ID can be set based on the url used for DoT.
I'm trying to connect to my adguard instance with clientID.adguard.example.com but there is a certificate mismatch because *.adguard.example.com certificates aren't being generated. See the error message below:
dog google.com --tls @clientid.adguard.example.com
Error [tls]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914: (Hostname mismatch)
The main reason I want to do this is to limit DNS requests to certain clientIDs so I can use the private dns function on android. I can't use my cell IP address because it's dynamic, so that is the only way I see to have a locked down DNS server. I believe all that needs to be done is to issue certs for the adguard instance (as is already done) and then a wildcard cert for *.adguard.example.com.