systemd-resolved now supports DNS-over-TLS. It's still turned off by default, use DNSOverTLS=opportunistic to turn it on in resolved.conf. We intend to make this the default as soon as couple of additional techniques for optimizing the initial latency caused by establishing a TLS/TCP connection are implemented.
Lars de Bruin has kindly created a docker image which uses BIND as a caching local resolver with Stubby as a TLS forwarder.
|iOS||Work in underway on an iOS app, however it is currently blocked by an implementation restriction.|
- systemd natively supports opportunistic DNS-over-TLS, see the https://www.freedesktop.org/software/systemd/man/resolved.conf.html