Unbound + DNScrypt intermittent failures (SEVRFAIL)

[blblblb]

Hi,

This has been mentioned in other posts for a while:
https://forum.opnsense.org/index.php?topic=22585.0

The symptoms are failed DNS resolution that persists for any given host using Unbound as resolver, with Unbound itself passing the requests to DNScrypt locally. I have tested this with Tor and Shadowsocks proxies and TCP only servers enabled. The jostle period sometimes might help, but it won't fix the problem. DNSSEC hardening disabled.

It manifests for clients as a persistent SERVFAIL response, whereas targeting DNScrypt directly will actually yield proper responses and the name is resolved successfully.

I have sometimes worked around the problem by forcing a cron job to restart Unbound periodically, but this is admittedly a crappy way to solve the symptoms and not the actual "disease".