DNSCrypt and local Unbound resolver

[Oko]

I am reading one of BSD now tutorials

http://www.bsdnow.tv/tutorials/openbsd-router

As probably most of you my typical work/home DNS set up consists of local Unbound DNS resolver with DNSSEC validation turned on. However above tutorial advocates the use of dnscrypt-proxy. My understanding is that dnscrypt-proxy is useful in the case local resolver is forwarding requests to another resolver like OpenDNS (no U.S. resolver should be used IMHO if the privacy is of any concern). In my case my understanding is that each uncashed request will go to a top domain. Ideally one would be able to encrypt such traffic with DNSCurve but I am not aware that Matthew Dempsky finished that code and removed those explicit dependencies on Linux kernel system calls.

My question is: Is dnscrypt-proxy at all useful for people who run their own Unbound resolver (for example on my laptop) and don't forward DNS request to any server? Could anybody please explain me how dnscrypt-proxy actually works (RTFM with the link is OK too).

[rocket357]

dnscrypt-proxy is basically a proxy that wraps dns queries in TLS port 443 traffic to a specialized resolver that you point it to. My configuration has two such proxies running, with unbound configured to route certain traffic to them. You'll want to read up on which resolvers you can use, US ones are obviously not a great choice as you've pointed out, but make sure they don't log (granted, "we don't log queries" is no indication that they don't, in fact, log queries, but it's definitely better than "yes, we log your requests", IMHO).