You can get visibility and control over DNS-over-TLS requests by decrypting the DNS payload contained within the encrypted DNS request. The decrypted DNS payload can then be processed using the security profile configuration containing your DNS policy settings. DNS requests that have been determined to have originated from TLS sources have a source port of 853 in the threat logs.