I am running trunk, built within the last few days.
I have never had an issue with dnscrypt-proxy before but just recently it refuses to resolve msft update websites. Everything else works fine. Troubleshooting:
From a Linux box, "host -t SOA www.catalog.update.microsoft.com [dnscrypt_resolver_ip]" yields a correct lookup! (This was not expected)
The only way I can currently get these lookups to work is by adding "list server '/microsoft.com/[standard dns resolver ip]" to /etc/config/dhcp. Obviously I don't want this long-term.
In any case, any thoughts on how to figure out why dnscrypt-proxy refuses to look up those domains when the actual resolver will? And why did this start happening within the last month (two at the outside)?
DNSSEC isn't encrypting the DNS traffic, it's only for authentication (cryptographically weak btw) and is really useless because the PKI trust chain comes from the government, and is not controlled by you.
I would say two reasons. First, in principle your ISP should be trusted to not snoop or modify traffic but they've been shown to do both. Encrypt everything.
Second, availability and quality of servers. I specify two servers to prevent downtime if one fails and there aren't enough local onesfor my comfort. It goes against my grain to rely on a server or two halfway around the world for my network to work.
That may not be applicable to the OP, but ever since UK passed the law that ISPs have to record their customers DNS requests I'm surprised we don't have a huge influx of UK users asking about use of dnscrypt here.
I'm wondering if this wasn't due to misconfiguration elsewhere in the network (my ISP, or something).
I rebuilt dnscrypt-proxy but this time with plugins so I could test disabling IPv6 DNS. Sure enough... the problem site started working.
But I went back and enabled IPv6 and the site still works. So I'm not sure if the IP was cached somewhere so the second lookup worked after I had the first success, or whether things are unconditionally working now.
I'm guessing to really test I need to configure the router and reboot both it and my machine, but that doesn't mean my DNS server won't still have cached that site IP.