Since version 1.3.0, dnsdist supports experimental DNS-over-TLS support. To see if the installation supports this, run dnsdist --version. If the output shows dns-over-tls with one or more SSL libraries in brackets, DNS-over-TLS is supported.

Adding a listen port for DNS-over-TLS can be done with the addTLSLocal() function, e.g.:

addTLSLocal('', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key')

This will make dnsdist listen on on TCP and UDP and will use the provided certificate and key to provide the TLS connection.