Advanced Threat Prevention or Threat Prevention License
You can get visibility and control over DNS-over-TLS
requests by decrypting the DNS payload contained within the encrypted
DNS request. The decrypted DNS payload can then be processed using
the security profile configuration containing your DNS policy settings.
DNS requests that have been determined to have originated from TLS
sources have a source port of 853 in the threat logs.