#!/bin/sh;#name: dot

        export DOTLIST=/path/dot.lst
        test -f $DOTLIST ||exec echo $DOTLIST missing
        x=$(case $(uname) in :)
        ;;Linux)shuf $DOTLIST
        ;;NetBSD)shuffle -f $DOTLIST
        esac|sed 's/ \{0,80\}//;/^[ ]\{0,80\}[;#]/d;/^$/d;/./q')
        test $x||{
        x=$(sed 's/ *//;/[;#]/d;/^$/d' $DOTLIST|sed -n '$!d;=')
        x=$(echo|awk '{srand();printf "%i\n",rand()*'$x'}')
        x=$(sed 's/ *//;/[;#]/d;/^$/d' $DOTLIST|sed -n "$x"p)
        }
        if
        test $# -gt 0
        then
        case $1 in -h|-?|--help)
        exec echo usage: ${0##*/} [domainlist]
        esac
        test -f $1||exit
        fi
        streamtcp -ansf $x $(sed 's/$/ a in/' ${1-/dev/stdin}) ||
        echo svr $x

dot.lst is a list of DoT servers in format ip@port

comments may begin with '#' or ';'

        # working
        5.5.5.5@853
        # not working
        ;6.6.6.6@443

example usage:

        dot < domains.txt > data 
        yy101 4 < data|sqlite3 map-ip.db

"Having probed 1.3 million open DNS resolvers using the IP-based discovery mechanism, we identify 313k IPv4 and 8.4k IPv6 recursives returning one or more SVCB records with DDR configurations (or DDR records in the remainder of this article)."

Unclear how "resolvers" is defined

It is doubtful to me there are 1.3M "resolvers" on the open internet as I understand the meaning of that term. But without providing the methodology or raw data it's impossible to verify the authors' conclusions

Perhaps some of these "resolvers" are actually "forwarders" that forward queries to an "upstream" resolver (and possibly manipulate responsees)

"The target name field (e.g., one.one.one.one) contains the domains of designated endpoints, indicating the providers behind these services."

Perhaps "providers" refers to the upstream resolvers