diff --git a/dnscrypt-proxy/plugin_allow_ip.go b/dnscrypt-proxy/plugin_allow_ip.go
index b880e417..18212c53 100644
--- a/dnscrypt-proxy/plugin_allow_ip.go
+++ b/dnscrypt-proxy/plugin_allow_ip.go
@@ -119,10 +119,14 @@ func (plugin *PluginAllowedIP) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 		if plugin.logger != nil {
 			qName := pluginsState.qName
 			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
+			switch pluginsState.clientProto {
+			case "udp":
 				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
+			case "tcp", "local_doh":
 				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
 			}
 			var line string
 			if plugin.format == "tsv" {
diff --git a/dnscrypt-proxy/plugin_allow_name.go b/dnscrypt-proxy/plugin_allow_name.go
index 005cbbc8..80ca75c7 100644
--- a/dnscrypt-proxy/plugin_allow_name.go
+++ b/dnscrypt-proxy/plugin_allow_name.go
@@ -96,10 +96,14 @@ func (plugin *PluginAllowName) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 		pluginsState.sessionData["whitelisted"] = true
 		if plugin.logger != nil {
 			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
+			switch pluginsState.clientProto {
+			case "udp":
 				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
+			case "tcp", "local_doh":
 				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
 			}
 			var line string
 			if plugin.format == "tsv" {
diff --git a/dnscrypt-proxy/plugin_block_ip.go b/dnscrypt-proxy/plugin_block_ip.go
index dd13c686..3d50b9a8 100644
--- a/dnscrypt-proxy/plugin_block_ip.go
+++ b/dnscrypt-proxy/plugin_block_ip.go
@@ -123,10 +123,14 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 		if plugin.logger != nil {
 			qName := pluginsState.qName
 			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
+			switch pluginsState.clientProto {
+			case "udp":
 				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
+			case "tcp", "local_doh":
 				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
 			}
 			var line string
 			if plugin.format == "tsv" {
diff --git a/dnscrypt-proxy/plugin_block_name.go b/dnscrypt-proxy/plugin_block_name.go
index 01f3877c..d28bfb52 100644
--- a/dnscrypt-proxy/plugin_block_name.go
+++ b/dnscrypt-proxy/plugin_block_name.go
@@ -44,10 +44,14 @@ func (blockedNames *BlockedNames) check(pluginsState *PluginsState, qName string
 	pluginsState.returnCode = PluginsReturnCodeReject
 	if blockedNames.logger != nil {
 		var clientIPStr string
-		if pluginsState.clientProto == "udp" {
+		switch pluginsState.clientProto {
+		case "udp":
 			clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-		} else {
+		case "tcp", "local_doh":
 			clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+		default:
+			// Ignore internal flow.
+			return false, nil
 		}
 		var line string
 		if blockedNames.format == "tsv" {
diff --git a/dnscrypt-proxy/plugin_nx_log.go b/dnscrypt-proxy/plugin_nx_log.go
index fce62a68..b966519e 100644
--- a/dnscrypt-proxy/plugin_nx_log.go
+++ b/dnscrypt-proxy/plugin_nx_log.go
@@ -43,17 +43,21 @@ func (plugin *PluginNxLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	if msg.Rcode != dns.RcodeNameError {
 		return nil
 	}
+	var clientIPStr string
+	switch pluginsState.clientProto {
+	case "udp":
+		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+	case "tcp", "local_doh":
+		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+	default:
+		// Ignore internal flow.
+		return nil
+	}
 	question := msg.Question[0]
 	qType, ok := dns.TypeToString[question.Qtype]
 	if !ok {
 		qType = string(qType)
 	}
-	var clientIPStr string
-	if pluginsState.clientProto == "udp" {
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-	} else {
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-	}
 	qName := pluginsState.qName
 
 	var line string
diff --git a/dnscrypt-proxy/plugin_query_log.go b/dnscrypt-proxy/plugin_query_log.go
index fa4f623b..04256e63 100644
--- a/dnscrypt-proxy/plugin_query_log.go
+++ b/dnscrypt-proxy/plugin_query_log.go
@@ -43,6 +43,16 @@ func (plugin *PluginQueryLog) Reload() error {
 }
 
 func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	var clientIPStr string
+	switch pluginsState.clientProto {
+	case "udp":
+		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+	case "tcp", "local_doh":
+		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+	default:
+		// Ignore internal flow.
+		return nil
+	}
 	question := msg.Question[0]
 	qType, ok := dns.TypeToString[question.Qtype]
 	if !ok {
@@ -55,12 +65,6 @@ func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) err
 			}
 		}
 	}
-	var clientIPStr string
-	if pluginsState.clientProto == "udp" {
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-	} else {
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-	}
 	qName := pluginsState.qName
 
 	if pluginsState.cacheHit {