[kylepdm]

In this case, would the user just not resolve any DNS queries at all then if their ISP is intercepting all of them? Or am I missing something?

[twr]

DNS interception usually takes place by redirecting traffic destined to port 53, like so:

  iptables -t mangle -A PREROUTING -p {udp,tcp} --dport 53 -j TPROXY --on-ip mitm-ip --on-port 53

Doing this isn't inherently malicious. Most of the time it's done for performance reasons. Bad idea, if you ask me, but whatever.

Since dnscrypt transmits DNS requests over port 443, which is also used by HTTPS, ISPs can't redirect the packets without performing more costly fingerprinting, or else websites would break.

dnscrypt packets are also encrypted and authenticated, so the worst probable thing an ISP could do is, like you said, drop the requests.

[tlrobinson]

For the security conscious, failing closed is better than failing open.