getdns is currently the most feature rich client for DNS-over-TCP and DNS-over-TLS features and can be run in daemon mode to send all outgoing DNS messages over TLS (see below).
Query: To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).
drill -t @<serverIP> <query name> (to see TCP query)
drill -l -p1021 @<serverIP> <query name> (to see TLS query)
drill -C @<serverIP> <query name> (to see STARTTLS query)
drill -C -D @<serverIP> <query name> (to do a DNSSEC lookup using STARTTLS)
Query: Build digit with openssl:
If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2
Obtain the server key file
Configure the key in wireshark in Edit->Preferences