If you want to try out DNS-over-TLS then instructions are listed below.
The zone is named starttls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'A' to 'Z'.
The IP address of the server is currently 188.8.131.52 - it might change so check for yourself.
To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).
If you want to decode the DNS packets in Wireshark (use 1.12.1 or later)
download the server key file: nsd.key
configure the key in wireshark in Edit->Preferences