Here are some “kdigs”
kdig @89.233.43.71 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=unicast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(89.233.43.71), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=unicast.censurfridns.dk
;; DEBUG: SHA-256 PIN: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG: SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 89.233.43.71@853(TCP)
kdig @91.239.100.100 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=anycast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(91.239.100.100), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=kracon.anycast.censurfridns.dk
;; DEBUG: SHA-256 PIN: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG: SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 91.239.100.100@853(TCP)