I've been running DNSCrypt on a RPi for a couple of years, and it's been rock solid. I use NextDNS as the upstream DNS server. I'm trying to consolidate services into OpnSense 21.1.4, and setup Unbound + DNSCrypt-Proxy. However, what I'm finding is that the combination is highly unreliable (often get SERVFAIL messages) and often name resolution takes 5-10 SECONDS per query.
If I reconfigure Unbound to NOT use DNSCrypt, then everything seems to be snappy and reliable. This is the code I'm using with Unbound:
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
forward-addr: ::1@5353
Any ideas on why Unbound + DNSCrypt-proxy is a) often slow and b) often gives me SERVFAIL messages? I've never experienced this with my RPi DNSCrypt instance. That has been rock solid and super fast for 2+ years.
I did some more troubleshooting this morning, and if I SSH into OPNSense and do:
dnscrypt-proxy -resolve www.apple.com
I can see that it's using NextDNS, and it instantly resolves the IPV4 and IPv6 addresses. However, from my Mac, which is pointed to 10.13.2.1 (OPNSense/Gateway) I get SERVFAIL for the same nslookup.
I disabled unbound, and configure DNSCrypt-proxy to listen on 10.13.2.1:53 and now nslookups from clients are instant and actually work.
So it appears to me that Unbound is having the issue. I didn't use Unbound on my RPi setup, so I'm unfamiliar with it. Does it add any value here or is can I just run with DNSCrypt-proxy?
It is a pity nobody answered this. I experienced the same.
It happened a few times every day. I could unblock the situation by restarting unbound.
Now I do not use unbound any more and DNS lookups work all the time.
I can't comment on the issue you have between Unbound and DNSCrypt-Proxy. But you can eliminate DNSCrypt-Proxy all together and configure Unbound to go directly to NextDNS using DOT (DNS-over-TLS). I have been running with Unbound DOT to NextDNS for several months with no issues and great performance. NextDNS lists the DOT configuration for Unbound on their site in the setup instructions for routers. You will also need to add the following line to the "server" section: tls-cert-bundle: "/etc/ssl/cert.pem". If you set NextDNS to not use the block page and return 0.0.0.0, you may want to "Disable DNS Rebinding Checks" under System->Settings->Administration otherwise Unbound will reject the response from NextDNS.