Help needed with DNSCrypt config

[hushcoden]

I'm playing around with DNSCrypt (+ Unbound) and there are a couple of things I need clarification on:

1. In Unbound -> Query Forwarding there are two options that I cannot understand, i.e. 'Forward TCP upstream' & 'Forward first' - can someone please confirm whether I have to check them?

2. If I disable DNSCrypt to check any possible DNS leaks, I actually still have Internet access, and on dnsleaktest.com I can see it finds one DNS server, which is my ISP's. How do I troubleshoot this?

Tia.

[RianKellyIT]

On the two Unbound settings:

Forward TCP upstream: This tells Unbound to use TCP instead of UDP when forwarding queries to DNSCrypt. Leave this off unless you are seeing UDP truncation errors. DNSCrypt handles transport internally and the default UDP forwarding works fine for most setups.

Forward first: This tells Unbound to attempt recursive resolution itself first and only use the forwarder if that fails. You want this OFF when DNSCrypt is your upstream. With it on, Unbound may bypass DNSCrypt entirely and resolve queries directly, which defeats the purpose. Turn it off so all queries flow to DNSCrypt.

For the DNS leak when DNSCrypt is disabled: when you disable the DNSCrypt forwarder, Unbound has no upstream configured and falls back to the DNS servers set on your WAN interface, which come from DHCP and are your ISP's servers. To fix this, go to System > Settings > General and set explicit DNS servers there, such as 1.1.1.1 or 9.9.9.9. These override the DHCP-provided DNS and will be used by Unbound as fallback when DNSCrypt is not active.

When DNSCrypt is running and configured as the Unbound forwarder, none of this matters because all queries go through it. But when you toggle DNSCrypt off for testing, having ISP DNS as the fallback is expected unless you set static upstream servers in General settings.

To confirm DNSCrypt is handling queries when active, run a quick check from the OPNsense shell:

dig @127.0.0.1 whoami.akamai.net

If it returns your real IP via a non-ISP resolver, DNSCrypt is working.

[hushcoden]

Many thanks for your explanation, much appreciated.

I ran that dig command, and this is the output:

Code Select Expand

; <<>> DiG 9.20.20 <<>> @127.0.0.1 whoami.akamai.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whoami.akamai.net.            IN      A

;; ANSWER SECTION:
whoami.akamai.net.      2400    IN      A      74.63.26.235

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Apr 05 10:42:48 BST 2026
;; MSG SIZE  rcvd: 62

The only IP address returned is 74.63.26.235 (I use Quad9 as resolver, so I think that IP address from WoodyNet makes sense) but don't see my real IP address, is that an issue?

I forgot to mention that I have also two relays, is that the reason why I can't see my real IP address?

[nero355]

Many thanks for your explanation, much appreciated.

You can not talk to "him" since it's some kind of SPAMbot that has started posting "Machine Learning Chatbot"-like answers on Forums of which many are also outdated and incorrect so watch out !! ;)

[Patrick M. Hausen]

E.g. the explanation of forward first is the wrong way round.

[hushcoden]

Thanks guys, and how do you understand it's actually a bot?

Hopefully I won't fall for it again next time...

[nero355]

Thanks guys, and how do you understand it's actually a bot?

The way the posts were written and all the wrong things they contained on the Pi-Hole Discourse in my case :)

[Patrick M. Hausen]

$PERSON has got a couple of accounts under the same name in various tech related forums. I suspect they are human but tend to copy & paste AI slop trying to be "helpful".