"
Your workaround will probably help, but honestly it does sound more like a startup race condition than an actual DNSCrypt crash. Especially since manually restarting DNSCrypt and then Unbound immediately fixes everything.
I've seen similar behavior on OPNsense when services depending on WAN connectivity or IPv6 come up before interfaces are fully settled. DNSCrypt may technically "start" successfully, but fail to establish upstream connectivity during boot and end up in a half-dead state while Unbound happily starts forwarding to it.
The timing in your logs is suspiciously tight too. One second between DNSCrypt and Unbound startup is not much, especially with a huge DNSBL load and interface initialization still happening in parallel.
Your staggered cron workaround is actually pretty reasonable as a first step. Personally I'd also test whether disabling IPv6 temporarily changes the behavior, just to rule out delayed RA/DHCPv6 assignment causing DNSCrypt startup failures.
Another thing worth checking is whether the DNSCrypt plugin has proper service dependencies defined at all. Some plugins don't fully integrate with boot ordering and assume networking is already stable when rc starts them.
I've seen similar behavior on OPNsense when services depending on WAN connectivity or IPv6 come up before interfaces are fully settled. DNSCrypt may technically "start" successfully, but fail to establish upstream connectivity during boot and end up in a half-dead state while Unbound happily starts forwarding to it.
The timing in your logs is suspiciously tight too. One second between DNSCrypt and Unbound startup is not much, especially with a huge DNSBL load and interface initialization still happening in parallel.
Your staggered cron workaround is actually pretty reasonable as a first step. Personally I'd also test whether disabling IPv6 temporarily changes the behavior, just to rule out delayed RA/DHCPv6 assignment causing DNSCrypt startup failures.
Another thing worth checking is whether the DNSCrypt plugin has proper service dependencies defined at all. Some plugins don't fully integrate with boot ordering and assume networking is already stable when rc starts them.
