diff --git a/wstunnel/src/config.rs b/wstunnel/src/config.rs
index 5b46e6c..d581dec 100644
--- a/wstunnel/src/config.rs
+++ b/wstunnel/src/config.rs
@@ -94,10 +94,19 @@ pub struct Client {
 
     /// Disable sending SNI during TLS handshake
     /// Warning: Most reverse proxies rely on it
-    #[cfg_attr(feature = "clap", arg(long, verbatim_doc_comment))]
+    #[cfg_attr(
+        feature = "clap",
+        arg(
+            long,
+            verbatim_doc_comment,
+            conflicts_with = "tls_sni_override",
+            conflicts_with = "tls_ech_enable"
+        )
+    )]
     pub tls_sni_disable: bool,
 
-    /// Enable ECH during TLS handshake
+    /// Enable ECH (encrypted sni) during TLS handshake to wstunnel server.
+    /// Warning: Ech DNS config is not refreshed over time. It is retrieved only once at startup of the program  
     #[cfg_attr(feature = "clap", arg(long, verbatim_doc_comment))]
     pub tls_ech_enable: bool,
 
diff --git a/wstunnel/src/protocols/tls/server.rs b/wstunnel/src/protocols/tls/server.rs
index 8166b5d..05bf617 100644
--- a/wstunnel/src/protocols/tls/server.rs
+++ b/wstunnel/src/protocols/tls/server.rs
@@ -128,6 +128,7 @@ pub fn tls_connector(
     let crypto_provider = ClientConfig::builder().crypto_provider().clone();
     let config_builder = ClientConfig::builder_with_provider(crypto_provider);
     let config_builder = if let Some(ech_config) = ech_config {
+        info!("Using TLS ECH (encrypted sni) with config: {:?}", ech_config);
         config_builder.with_ech(EchMode::Enable(ech_config))?
     } else {
         config_builder.with_safe_default_protocol_versions()?