Hi Jon,
you can use kdig for this which is meanwhile in the core system of IPFire. Have wrote longer time ago a script which checks this for me, if you want to take a inside in it, here it is -->
#!/bin/bash -
#
# Test configured DoTs via kdig.
#
# ummeegge 22.02.2020
################################
#
# Formatting
COLUMNS="$(tput cols)";
seperator(){ printf -v _hr "%*s" ${COLUMNS} && echo ${_hr// /${1-=}}; }
# Paths
CONFIG="/var/ipfire/dns/servers"
SETTINGS="/var/ipfire/dns/settings"
BUNDLE="/etc/ssl/certs/ca-bundle.crt"
# Check for DoT forwarder
if ! grep -q 'PROTO=TLS' ${SETTINGS} > /dev/null 2>&1; then
echo "DNS-over-TLS is not configured yet. Need to quit... "
exit 1
fi
# Get DoT data and write it to files
HOST="/tmp/host.in"
IP="/tmp/ip.in"
awk -F',' '/enabled/ { print $3 }' ${CONFIG} > ${HOST}
awk -F',' '/enabled/ { print $2 }' ${CONFIG} > ${IP}
# Mainpart
echo
seperator
while read -u 3 -r ip && read -u 4 -r host; do
echo
kdig -d @"${ip}" "+edns=0" +dnssec +tls-ca="${BUNDLE}" +tls-host="${host}" www.isoc.org; exit=$?
echo
echo "Exit status: $exit"
echo
seperator
done 3<${IP} 4<${HOST}
# Clean up
rm -rf ${IP} ${HOST}
# EOF
the script checks for encryption ‘TLS session’, the certificate hierarchy (if it´s trusted), DNSsec can be checked via the ‘Flags’ --> if you can find the ‘ad’ flag, DNSsec is enabled and works, but also the responding time, an a lot more…
The command for a single instance e.g. lightningwirelabs, looks like this:
kdig -d @81.3.27.54 +edns=0 +dnssec +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-host=recursor01.dns.lightningwirelabs.com www.isoc.org
There is also another script which interprets all that a little shorter in overview but i think this might be a good one to start with ?
Best,
Erik