For me, this configuration doesn’t make sense because your connection will be very slow down for a security benefit that seems almost zero to me.
Tell me if I’m wrong but I believe that tor relays use their own dns but you can use dns-crypt, why not…
You can optionally use a vpn to encrypt the exit node…
rather than Tor -> vpn -> tor -> vpn
Tor-ws -> Tor-gw -> sys-vpn -> sys-dnscrypt -> sys-firewall -> sys-net
ou Tor-ws -> Tor-gw -> sys-dnscrypt -> sys-vpn -> sys-firewall -> sys-net
is more than enough!
This topic could help you to configure un dns-crypt VM…