@qubist out of curiosity, I reverted to using the DVM’s script in /rw/config/rc.local, deleted your 90-dnscrypt.nft, and tested host gnu.org in u2 with sys-dns as netv.
rc.local runs after network is up, i.e. before it has completed there is a short time during which leaks are possible. /rw/config/qubes-firewall.d/* runs before n it, and that is more correct for a firewall:
user@rdisp3147:~ > systemctl cat qubes-firewall.service
# /lib/systemd/system/qubes-firewall.service
[Unit]
Description=Qubes firewall updater
ConditionPathExists=/var/run/qubes-service/qubes-firewall
After=qubes-iptables.service
Before=qubes-network.service
[Service]
Type=notify
ExecStart=/usr/bin/qubes-firewall
[Install]
WantedBy=multi-user.target