Unbound + DNSCrypt configuration

dnscrypt-proxy

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP2=127.0.0.2
DNSCRYPT_LOCALPORT=9053
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu
DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=77.66.84.233
DNSCRYPT_RESOLVERIP2=176.56.237.171

forward.conf

local-zone: "home." static

local-data: "raspberry.home.	IN	A	192.168.0.253"
local-data: "router.home.	IN 	A	192.168.0.254"

reverse.conf

local-data-ptr: "192.168.0.253	raspberry.home."
local-data-ptr: "192.168.0.254	router.home."

unbound.conf

server:

    # Core cpu count
    num-threads: 2  

    # DNSSEC features
    
    # Updated via : unbound-anchor -v -a /etc/unbound/root.key
    auto-trust-anchor-file: "/etc/unbound/root.key"
    module-config: "validator iterator"
    # Downloaded via : wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
    root-hints: "/etc/unbound/root.hints"

    interface:  0.0.0.0
    port:       53      # port to answer queries from
    do-ip4:     yes     # Enable IPv4, "yes" or "no".
    do-ip6:     no      # Enable IPv6, "yes" or "no".
    do-udp:     yes     # Enable UDP, "yes" or "no".
    do-tcp:     yes

    # Hide unbound information
    hide-identity: yes
    hide-version: yes
    
    # If yes, Unbound rotates RRSet order in response. This is almost
    # same as Thijs Kinkhorst's implementation except that random number
    # source is query-id.
    rrset-roundrobin: yes
    
    # Time to live minimum for  RRsets  and  messages  in  the  cache.
    cache-min-ttl: 60
    
    # If yes, Unbound doesn't insert authority/additional sections into
    # response message when those sections are not required [1]. This is
    # similar to BIND9's minimal-responses or Google Public DNS
    # behavior.
    minimal-responses: no
    
    # Use  0x20-encoded  random  bits  in  the  query  to  foil  spoof
    # attempts.   This  perturbs  the lowercase and uppercase of query
    # names sent to authority servers and checks if  the  reply  still
    # has  the  correct casing.  Disabled by default.  This feature is
    # an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes
    
    # If yes, message cache elements are prefetched before they expire
    # to  keep  the  cache  up to date.
    prefetch: yes
    
    # If  yes,  fetch  the  DNSKEYs earlier in the validation process,
    # when a DS record is encountered.
    prefetch-key: yes

    # ACL
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/24 allow
    access-control: 0.0.0.0/0 refuse

    # Enforce privacy 
    private-address: 192.168.0.0/24

    # Local zone definition
    private-domain: "home."
    include: /etc/unbound/forward.conf
    include: /etc/unbound/reverse.conf

    # You need this as no for dnscrypt-proxy to work
    do-not-query-localhost: no
    
# Disable remote control
remote-control:
    control-enable: no

# Forward all queries to specified servers
forward-zone:
    name: "."
    # CryptDNS
    # forward-addr: 127.0.0.1@9053
    # OpenDNS
    forward-addr: 208.67.222.222
    forward-addr: 208.67.220.220

Doesn't commenting out line 78 of your "unbound.conf" like you have bypass dnscrypt completely causing all your traffic to go to those OpenDNS servers?

Nice software

Doesn't commenting out line 78 of your "unbound.conf" like you have bypass dnscrypt completely causing all your traffic to go to those OpenDNS servers?

Yes you are right, I forgot to restore it as it was. Now I'm using AdGuardHome + CoreDNS to do the same thing.