getdns is currently the most feature rich client for DNS-over-TCP and DNS-over-TLS features. See the DNS Privacy daemon - Stubby web page for how to use it as a local DNS Privacy stub resolver.
Query: To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).
drill -t @<serverIP> <query name> (to see TCP query)
drill -l -p1021 @<serverIP> <query name> (to see TLS query)
drill -C @<serverIP> <query name> (to see STARTTLS query)
drill -C -D @<serverIP> <query name> (to do a DNSSEC lookup using STARTTLS)
Query: Build digit with openssl:
If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2
Obtain the server key file
Configure the key in wireshark in Edit->Preferences