I've been running DNSCrypt-proxy on a RPi for 2+ years without issue, and is working great. However, I'm trying to migrate that functionality into OPNSense. My configured upstream resolver is NextDNS.io, and I have a SDNS stamp from them. I also disabled unbound on OPNSense, and have dnscrypt-proxy listing on port 53. 
I setup OPNSense dnscrypt-proxy with my NextDNS stamp, and put that server in the server list. However, what is NOT working well are NextDNS blocks, which should return 0.0.0.0. If I login to my OPNSense instance and run:
dnscrypt-proxy -resolve app-measurement.com
I get a valid IP:
Resolving [app-measurement.com] using 10.13.2.1 port 53
Resolver      : 45.32.79.76 (dns.nextdns.io.)
Lying         : no
DNSSEC        : yes, the resolver supports DNSSEC
Canonical name: app-measurement.com.
IPv4 addresses: 172.217.14.110
IPv6 addresses: 2607:f8b0:4007:80e::200e
Name servers  : ns4.google.com., ns2.google.com., ns1.google.com., ns3.google.com.
DNSSEC signed : no
Mail servers  : no mail servers found
HTTPS alias   : -
HTTPS info    : -
Host info     : -
TXT records   : v=spf1 -all
As you can see, it appears to first hit the dns.nextdns.io server, but somehow it appears to also be using Google name servers and thus gets back a valid ip. However, when I run the EXACT same dnscrypt-proxy resolve command on my RPi, I see:
pi@raspberrypi1:/opt/dnscrypt-proxy $ ./dnscrypt-proxy -resolve app-measurement.com
Resolving [app-measurement.com]
Domain exists:  probably not, or blocked by the proxy
Canonical name: app-measurement.com.
IP addresses:   0.0.0.0, ::
TXT records:    -
Resolver IP:    45.32.79.76 (dns.nextdns.io.)
Which obvious IS working, since I got back 0.0.0.0. 
I'm baffled why the OPNSense dnscrypt-proxy instance is resolving the hostname and apparently hitting google servers as well. Any ideas? 
			
			
			
				dig you try with dig and your local instance and check the dnscrypt logs? 
			
			
			
				I used Drill on OPNSense and got this:
root@OPNsense:/usr/local/etc/dnscrypt-proxy # drill c.bing.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40401
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; c.bing.com.	IN	A
;; ANSWER SECTION:
c.bing.com.	21598	IN	CNAME	c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net.	58	IN	CNAME	dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net.	58	IN	A	13.107.21.200
dual-a-0001.a-msedge.net.	58	IN	A	204.79.197.200
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 9 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Apr 13 08:42:17 2021
;; MSG SIZE  rcvd: 130
What is interesting is that the server response is from 1.1.1.1. DNSCrypt-Proxy isn't configured to use 1.1.1.1, however I DO have 1.1.1.1 configured in OPNSense under System/Setting/General. I did this, because if I left all those DNS server entries empty then wireguard would not properly start on reboot as it was trying to resolve my external WG hostname and fail. DNSCrypt-proxy starts AFTER Wireguard tries to initialize, when you reboot. 
Any ideas on how I can best configure DNS/WireGuard/DNSCrypt-proxy so that all name resolution goes through DNSCrypt-proxy? 
			
			
			
				I ran Dig from my laptop, which is pointed to OPNSense for DNS. It is querying 10.13.2.1 (where DNSCrypt-proxy is listening), but I still get back real IPs vs. 0.0.0.0 that NextDNS and my RPis correctly return.
dig c.bing.com        
; <<>> DiG 9.10.6 <<>> c.bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16634
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c.bing.com.			IN	A
;; ANSWER SECTION:
c.bing.com.		394	IN	CNAME	c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net.	394 IN	CNAME	dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net. 394	IN	A	204.79.197.200
dual-a-0001.a-msedge.net. 394	IN	A	13.107.21.200
;; Query time: 55 msec
;; SERVER: 10.13.2.1#53(10.13.2.1)
;; WHEN: Tue Apr 13 09:25:57 PDT 2021
;; MSG SIZE  rcvd: 141
			
			
			
				Any ideas here? I'm kind of at a loss on what's going on with DNScrypt. 
			
			
			
				You need to tell the tool to explicitly ask dnscrypt. Also we need logs :)
			
			
			
				Since I was using DNSCrypt to forward queries to NextDNS, I fixed this problem via a config change. I directly installed NextDNS CLI on OPNsense and have it listening on port 53. Clients then point to OPNsense for DNS, and all queries are directed to NextDNS, bypassing the need for DNSCrypt.