In the mean time, the developer of dnscrypt has added a comment here, changed the title of the issue and closed it. The title of the issue is now: When local DNSSEC validation is enabled, dnsmasq 2.77 sends multiple queries on the same TCP connection which is incompatible with DNSCrypt, e.g. this may be a problem.
The developer of dnsmasq has:
- confirmed dnsmasq 2.77 exists, is out there, but
<quote>
the point is moot, since there are no changes in the relevant areas since 2.76</quote>
. - stated, as a response to the title change:
<quote>
Well, that statement may well be true, the first part, about dnsmasq, is, the second part. about dnscrypt, I'd expect to be true also, given it's source</quote>
. - a solution may be comming:
<quote>
I'm happy to look at making dnsmasq more flexible in this regard</quote>
I've been busy to:
- installed a fresh copy of Raspbian Jessie Lite - version February 2017
- upgraded dnsmasq to 2.76-5 (stretch method).
- installed dnscrypt 1.9.4, I used the systemd / socket setup (I definitely want more than 2 resolvers)
- I than simply copied the dnsmasq configuration files, the result of a full pihole configuration (yes I have a backup), into /etc/dnsmasq.d (I didn't install pihole, the result however is the same, apart from the fact you don't have a fancy web interface).
- I changed the resolver of one of my workstations (running this setup on a different pi) to use the new setup as the resolver. although initially, it looked great (the log is identical to what a full pihole installation would generate), after a while, everything responded the same way as the full pihole install did.
I'm starting to wonder:
- Is my provider (telenet.be) messing with the requests to dnscrypt servers (it's encrypted - port 443, but the destination IP address is visible)?
- There aren't any dnscrypt servers in my country, so I use the geographically closest possible. Is the response time to slow?
dig @127.10.10.1 -p 5551 +dnssec www.raspberrypi.org (which is dnscrypt.org-fr) results in:
;; Query time: 65 msec.
All other dnscrypt resolvers have a similar response time, from 57 msec to 67 msec
to be continued...
<edit>
this problem has a solution, you can find the solution here.</edit>