Hello, here is a small guide to use kresd & dnscrypt-proxy2 in order to maximize safety and anonymity over your dns queries.
1)Go to /etc/resolver/dns_servers and create a file to describe dnscrypt resolver.
As you understand we will use a dnscrypt-proxy listening on port 5300 without tls. There is no need to encrypt traffic between kresd & dnscrypt-proxy.
After you create the file you should be able to select it from the dropdown list of DNS servers:
Then you need to install dnscrypt-proxy2 and configure it to your liking. Beware of the listening port.
The end result is this:
All my DNS queries are anonymous, encrypted and verified for validity.
Firefox can also use the encrypt SNI to further enhance https privacy.
You can also activate on top dns ad blocking either via kresd or dnscrypt-proxy.
Open question: Does kresd verifies unsigned dnssec queries like dnsmasq?