[twr]

DNS interception usually takes place by redirecting traffic destined to port 53, like so:

  iptables -t mangle -A PREROUTING -p {udp,tcp} --dport 53 -j TPROXY --on-ip mitm-ip --on-port 53

Doing this isn't inherently malicious. Most of the time it's done for performance reasons. Bad idea, if you ask me, but whatever.

Since dnscrypt transmits DNS requests over port 443, which is also used by HTTPS, ISPs can't redirect the packets without performing more costly fingerprinting, or else websites would break.

dnscrypt packets are also encrypted and authenticated, so the worst probable thing an ISP could do is, like you said, drop the requests.