I have use an iranian isp which means that dns is filtered(cached and filtered) by isp so using 8.8.8.8 returns 10.10.34.34 and 10.10.34.35 for filtered domains.
but I have to use 8.8.8.8 because it is fast and it is needed for a lot of Iranian domains that returns the correct ip, that if I use dnscrypt or other services the ip is not returned correctly.
now I have blacklisted 10.10.34.34 ip in dnsmasq but when I do that and I set both 8.8.8.8 and dnscrypt then it first tries 8.8.8.8 and returns the internal 10.10.34.34 which dnsmasq filters but then it doesn't try to get the next answer from dnscrypt so the overall answer will be an empty one.
is there anyway to fix this so that first 8.8.8.8 is tried and if the filtering address (10.10.34.34) is returned, then it tries the next dns server and get it from dnscrypt?
If I set strict-order then the iranian sites that have dns issues work because it dnsmasq queries 8.8.8.8 but ignoredomain or bogusdomain make dnsmasq to timeout or give empty answer for filtered domains.
if I dont use strict-order then dnsmasq seem to select the dnscrypt for all answers and then I get bad replies for internal iranian websites.