Is DNS Interception available?

I’m looking at the “RFC - Istio DNS Interception” (Google Doc) which has been approved, and wondering if it’s functional in 1.6 or 1.7? I’ve tried 1.6.5, and the settings:

meshConfig.defaultConfig.proxyMetadata.DNS_CAPTURE=ALL 
meshConfig.defaultConfig.proxyMetadata.DNS_AGENT=DNS-TLS

Appear to be accepted. istiod starts to listen on port 15053, and there are rules within envoy for port 853, but I don’t see anything for UDP/TCP port 53 (either within envoy or via iptables-save).

What are the requirements to get this work work, as there doesn’t seem to be any user-facing documentation in either 1.6 or 1.7 (if it’s there, and I’m missing it, a pointer would be great)?

If it is available, is there a way to demonstrate that it is working?