diff --git a/test/tls_test.go b/test/tls_test.go
new file mode 100644
index 000000000..f302d5105
--- /dev/null
+++ b/test/tls_test.go
@@ -0,0 +1,46 @@
+package test
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestDNSoverTLS(t *testing.T) {
+	corefile := `tls://.:1053 {
+        tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem
+        whoami
+    }`
+	qname := "example.com."
+	qtype := dns.TypeA
+	answerLength := 0
+
+	ex, _, tcp, err := CoreDNSServerAndPorts(corefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer ex.Stop()
+
+	m := new(dns.Msg)
+	m.SetQuestion(qname, qtype)
+	client := dns.Client{
+		Net:       "tcp-tls",
+		TLSConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	r, _, err := client.Exchange(m, tcp)
+
+	if err != nil {
+		t.Fatalf("Could not exchange msg: %s", err)
+	}
+
+	if n := len(r.Answer); n != answerLength {
+		t.Fatalf("Expected %v answers, got %v", answerLength, n)
+	}
+	if n := len(r.Extra); n != 2 {
+		t.Errorf("Expected 2 RRs in additional section, but got %d", n)
+	}
+	if r.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected success but got %d", r.Rcode)
+	}
+}