DNSCrypt itself can be challenging to configure according to our prior experiences:
- Use DNSCrypt by default in Kicksecure? (not Whonix!)
- MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt
Therefore a prerequisite exercise is making DNSCrypt work on non-Whonix, on Debian buster.
That does not work for reasons similar to reasons described here:
DNSCrypt runs as user _dnscrypt-proxy by Debian dnscrypt package default. That user on Whonix-Gateway has neither clearnet system default networking access nor torified system default networking access.
This might help or be part of the solution. Untested. This would allow _dnscrypt-proxy to connect to clearnet.
/etc/whonix_firewall.d/50_user.conf:
NO_NAT_USERS+=" $(id -u "_dnscrypt-proxy")"
But DNSCrypt might not be required. Whonix-Gateway System DNS - Whonix might be easier to set up and more reliable.