I stopped using DNScrypt-proxy-loader altogether, as the development doesn't keep up with the dnscrypt-proxy development. Currently, you cannot use the loader with any version above 1.9.1. I've logged an issue, a couple of weeks ago, but in the mean time v1.9.4 of dnscrypt-proxy has been released, so I was already 3 versions behind...
Instead I've used this guide to configure DNScrypt-proxy directly on the pi (running raspbian jessie lite), with an upgraded dnsmasq (entry of jan 29 - required if you also want to use DNSSEC).
The setup is a little harder, you really need to keep your mind to it, but I think it's worth the effort, as you lose the dependency of the loader.
To make life a little easyer, I've published a rar file, containing the files you need (IPv4 only). Put all five dnscrypt-proxy@ files in /lib/systemd/system (just like the instructions indicate) and 04-dnscrypt.conf in /ec/dnsmasq.d. Remove the server settings from other dnsmasq configuration files! These files are for v1.9.4 of DNScrypt proxy, no clue if they will still work with future versions.
I did change the ports, although a port scan indicates the ports are NOT open to the outside world. I just don't like using ports below 1024, this may interfere with other products using "well known ports".
This configuration works (tested)!
Edit: just read this interesting article. I was also under the assumption the primary resolver would always be used, even though the forward destinations graph on the main page of pihole showed otherwise. For this reason (and my privacy - more resolvers means harder to track), I added to more dnscrypt servers to the rar file (read above) and edited the instructions accordingly.
Edit2: Following the instructions from the guide, I ran: sudo systemctl status -l dnscrypt-proxy@* and noticed a warning, stating the system (our raspberry pi) doesn't have enough "entropy" to generate random numbers. This article provides a solution:
- sudo apt-get install rng-tools
- add HRNGDEVICE=/dev/urandom to /etc/default/rng-tools
- reboot the system
The output of sudo systemctl status -l dnscrypt-proxy@* will no longer show these warnings.