Dnscrypt-proxy having trouble with msft update websites

I am running trunk, built within the last few days.

I have never had an issue with dnscrypt-proxy before but just recently it refuses to resolve msft update websites. Everything else works fine. Troubleshooting:

tcpdump captures navigating browser to www.catalog.update.microsoft.com: dnscrypt-proxy reports back NXDOMAIN

From a Linux box, "dig www.catalog.update.microsoft.com" shows the same (status NXDOMAIN)

From a Linux box, "host -t SOA www.catalog.update.microsoft.com [dnscrypt_resolver_ip]" yields a correct lookup! (This was not expected)

The only way I can currently get these lookups to work is by adding "list server '/microsoft.com/[standard dns resolver ip]" to /etc/config/dhcp. Obviously I don't want this long-term.

In any case, any thoughts on how to figure out why dnscrypt-proxy refuses to look up those domains when the actual resolver will? And why did this start happening within the last month (two at the outside)?

Out of curiosity, dnssec isn't good enough or is there a reason why you need to encrypt dns traffic?

DNSSEC isn't encrypting the DNS traffic, it's only for authentication (cryptographically weak btw) and is really useless because the PKI trust chain comes from the government, and is not controlled by you.

Against DNSSEC

I would say two reasons. First, in principle your ISP should be trusted to not snoop or modify traffic but they've been shown to do both. Encrypt everything.

Second, availability and quality of servers. I specify two servers to prevent downtime if one fails and there aren't enough local onesfor my comfort. It goes against my grain to rely on a server or two halfway around the world for my network to work.

Are you sure this is not a bad implementation of DNNSEC on Microsoft part?

That may not be applicable to the OP, but ever since UK passed the law that ISPs have to record their customers DNS requests I'm surprised we don't have a huge influx of UK users asking about use of dnscrypt here.

I'm wondering if this wasn't due to misconfiguration elsewhere in the network (my ISP, or something).

I rebuilt dnscrypt-proxy but this time with plugins so I could test disabling IPv6 DNS. Sure enough... the problem site started working.

But I went back and enabled IPv6 and the site still works. So I'm not sure if the IP was cached somewhere so the second lookup worked after I had the first success, or whether things are unconditionally working now.

I'm guessing to really test I need to configure the router and reboot both it and my machine, but that doesn't mean my DNS server won't still have cached that site IP.