Thanks for sharing.
I have been working on a new dnscrypt guide (bash, not salt) some months ago but paused it for some time due to other work.
BTW, have you tested this:
flush chain qubes dnat-dns
It will result in an error unless dnat-dns chain exists, which is why I use this in my scripts:
add chain ip qubes custom-dnat-dns
delete chain ip qubes custom-dnat-dns
and then create the chain.
Could you also explain why this is necessary:
#!/bin/sh
find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
I have been reading some related security concerns.