I have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using dnsmasq with dnscrypt-proxy, but dnsmasq seemed unstable (Even if it was deployed on my computer and used by just me!). Replacing dnsmasq with unbound seems to be a good solution.
Configuration
Here (Chinese Simplified) is a great example by phoenixlzx.
Fallback servers
Unbound will do load-balancing on the listed forward-addrs, instead of requesting the servers one by one, skipping to next server only if the previous one fails. In the instance of me, I want it to request my dnscrypt-proxy server first, and use other servers as fallback. It's obviously not doing me good.
Finally I moved the fallback configures and wrote it in /etc/resolv.conf. Not so exciting but it also works.
Forwarding rules
dnscrypt-proxy apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.
DNS over TLS (DoT) support of Unbound
Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding forward-tls-upstream: yes (or forward-ssl-upstream: yes) you can ask the server to send DoH request to servers you specify. Then we don't need dnscrypt-proxy to make secured DNS queries.
See this article for detailed configurations.
My config file (working on a Manjaro Linux):
server: verbosity: 1 do-daemonize: no use-syslog: yes username: unbound directory: "/etc/unbound" root-hints: "root.hints" # Get it here: https://www.internic.net/domain/named.root trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file module-config: "iterator" # "validator iterator" if you want DNSSEC interface: 127.0.0.54 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution access-control: 127.0.0.1/8 allow forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 8.8.8.8@853#dns.google forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 1.0.0.1@853#cloudflare-dns.comconf