I have set up pihole with dnscrypt in my home network a couple of days ago. The DNS of my router points to it, so all the hosts on the network use pihole.
Everything is working fine. The DNS traffic is indeed encrypted thanks to dnscrypt, and I am still able to block all the add domains that pihole has in its blacklists.
Something that I did not think of was DNS encryption within the internal network. Since dnscrypt is bounded to the loopback interface(127.0.0.1) of the host where pihole is running, all the DNS requests of the clients to pihole are sent in plain text, hence it is easy to sniff traffic, make MIM attacks, and I think that if the ISP has access to the router it could even check which packets travel around the internal network, including the DNS requests that are not encrypted. The DNS requests are only encrypted when pihole actually sends them to dnscrypt running on 127.0.0.1, the responses from pihole are, again, not encrypted.
I was wondering if there is an effective and simple way to encrypt the DNS traffic between pihole and the clients on the internal network, either using TLS, HTTPS, or other encryption protocol.
Please note that, using DNS over HTTPS or DNS over TLS with pihole will not help, as the very same problem occurs, because the traffic between clients and pihole is not encrypted, it is only encrypted when pihole is making the DNS request.