Running DNSCrypt and DNSSEC (using Debian testing repositories)

In the mean time, the developer of dnscrypt has added a comment here, changed the title of the issue and closed it. The title of the issue is now: When local DNSSEC validation is enabled, dnsmasq 2.77 sends multiple queries on the same TCP connection which is incompatible with DNSCrypt, e.g. this may be a problem.
The developer of dnsmasq has:

  • confirmed dnsmasq 2.77 exists, is out there, but <quote> the point is moot, since there are no changes in the relevant areas since 2.76 </quote>.
  • stated, as a response to the title change: <quote> Well, that statement may well be true, the first part, about dnsmasq, is, the second part. about dnscrypt, I'd expect to be true also, given it's source </quote>.
  • a solution may be comming: <quote> I'm happy to look at making dnsmasq more flexible in this regard </quote>

I've been busy to:

  • installed a fresh copy of Raspbian Jessie Lite - version February 2017
  • upgraded dnsmasq to 2.76-5 (stretch method).
  • installed dnscrypt 1.9.4, I used the systemd / socket setup (I definitely want more than 2 resolvers)
  • I than simply copied the dnsmasq configuration files, the result of a full pihole configuration (yes I have a backup), into /etc/dnsmasq.d (I didn't install pihole, the result however is the same, apart from the fact you don't have a fancy web interface).
  • I changed the resolver of one of my workstations (running this setup on a different pi) to use the new setup as the resolver. although initially, it looked great (the log is identical to what a full pihole installation would generate), after a while, everything responded the same way as the full pihole install did.

I'm starting to wonder:

  • Is my provider (telenet.be) messing with the requests to dnscrypt servers (it's encrypted - port 443, but the destination IP address is visible)?
  • There aren't any dnscrypt servers in my country, so I use the geographically closest possible. Is the response time to slow?
    dig @127.10.10.1 -p 5551 +dnssec www.raspberrypi.org (which is dnscrypt.org-fr) results in:
    ;; Query time: 65 msec.
    All other dnscrypt resolvers have a similar response time, from 57 msec to 67 msec

to be continued...

<edit>this problem has a solution, you can find the solution here.</edit>