Given this I think it is more than fair to assume that TLS 1.2 is fully compromised. This cannot be just about encrypted DNS.