follow this write-up I did and dnscrypt will work for you.
1. It appears that you omitted an instruction:
In /etc/config/dnscrypt-proxy
you must uncomment: option resolvers_list
or else when you query: logread | grep "Proxying from"
you only get:
Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443
(i.e. OpenDNS is your resolver instead of the preferred one)
reference: https://forum.openwrt.org/viewtopic.php?pid=351471
2. The server names must be present in the local resolvers list. However, the local list at present does not match the internet list and some of the servers are not found:
"I sent pull request with updated resolvers list. d0wn servers should work after update. You always can update resolvers manually by executing:"
wget 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' -O /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
reference: https://forum.openwrt.org/viewtopic.php?pid=342500#p342500
Then LEDE says: "SSL support not available, please install one of the libustream-ssl-* libraries as well as the ca-bundle and ca-certificates packages."
(--Sigh... why all of this not automated with GUI like Tomato?)
3 . When I run the command: logread | grep dnscrypt
It reports that cisco (and various others) are insecure for various reasons (logging & lack of DNSCRYPT support, key rotation period may exceed recommended value, etc.)
Question:
--Is there a comparison chart which would show all of the relevant features of the various servers?
4 . Regarding the test for signatures at: http://dnssec.vs.uni-due.de
Some servers which pass this test are failing the GRC signature test at:
https://www.grc.com/dns/dns.htm
with the error:
"Extra Anti-Spoofing: unknown (Unable to obtain server fingerprint.)"
Question:
--Is the GRC test broken?
5 . The GRC spoofability test also says:
Alphabetic Case: all lower (An improvement could be created by mixing case.)
Question:
--How would you remedy this?
6 . Is it correct that DNScrypt server failures would fail over to OpenDNS with this configuration?
7 . add these to lines to stop devices on your network like android phones using hard coded dns servers.
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53
https://forum.openwrt.org/viewtopic.php?pid=351461#p351461
related threads (for general reference):
https://forum.openwrt.org/viewtopic.php?pid=342500#p342500
https://forum.openwrt.org/viewtopic.php?pid=351461#p351461