Pi-Hole with dnscrypt-proxy using DoH with anonymous forwarders running under Docker with docker-compose on Raspberry Pi.

dnscrypt-proxy.toml

server_names = [
        'cloudflare',
        'doh-crypto-sx',
        'ams-doh-nl',
# Possible issues.
#        'faelix-ch-ipv4-doh',
        'doh.ffmuc.net'
]

listen_addresses = [
	'127.0.0.1:5353'
]

max_clients = 256

ipv4_servers = true
ipv6_servers = false

dnscrypt_servers = false

doh_servers = true

require_dnssec = true

require_nolog = true
require_nofilter = true

disabled_server_names = []

force_tcp = false

timeout = 5000

lb_strategy = 'p2'
lb_estimator = true

keepalive = 60

blocked_query_response = 'hinfo'

log_level = 2
log_file = '/dev/stdout'

use_syslog = false

cert_refresh_delay = 240

dnscrypt_ephemeral_keys = false

tls_disable_session_tickets = false
tls_cipher_suite = [52392, 49199]

fallback_resolvers = [
	'9.9.9.9:53',
	'1.0.0.1:53'
]

ignore_system_dns = true

netprobe_timeout = 60
netprobe_address = '1.1.1.1:53'

offline_mode = false

log_files_max_size = 0
log_files_max_backups = 0

block_ipv6 = true
block_unqualified = true
block_undelegated = true

reject_ttl = 600

cache = false

[query_log]
  file = '/dev/stdout'

[nx_log]
  file = '/dev/stdout'

[anonymized_dns]
  skip_incompatible = true
  routes = [
    { server_name='*', via=[ 'anon-acsacsar-ams-ipv4', 'anon-ams-nl', 'anon-bcn', 'anon-cs-de2', 'anon-cs-fr', 'anon-cs-fr2', 'anon-cs-nl', 'anon-cs-nl2', 'anon-cs-pt', 'anon-cs-se', 'anon-cs-se', 'anon-cs-sk', 'anon-ibksturm', 'anon-kama', 'anon-meganerd', 'anon-scaleway', 'anon-scaleway-ams', 'anon-serbica', 'anon-skyfighter', 'anon-sth-se', 'anon-yofiji-se-ipv4' ] }
  ]

[sources]
  [sources.'public-resolvers']
  refresh_delay = 72
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''

  [sources.'relays']
  refresh_delay = 72
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''

docker-compose.yml

version: '2'

services:
  dnscrypt-proxy:
    container_name: 'dnscrypt-proxy'
    image: 'dnscrypt-proxy:custom'
    hostname: 'dnscrypt-proxy'
    extra_hosts:
      - 'dnscrypt-proxy dnscrypt-proxy.lan:192.168.1.10'
    dns:
      - '127.0.0.1'
    dns_search:
      - 'lan'
    environment:
      TZ: 'Etc/UTC'
    volumes:
       - './dnscrypt-proxy.toml:/config/dnscrypt-proxy.toml'
    network_mode: 'host'
    restart: 'unless-stopped'

  pi-hole:
    container_name: 'pi-hole'
    image: 'pi-hole:custom'
    hostname: 'pi-hole'
    extra_hosts:
      - 'pi-hole pi-hole.lan:192.168.1.10'
    dns:
      - '127.0.0.1'
    dns_search:
      - 'lan'
    environment:
      TZ: 'Etc/UTC'
      IPv6: 'no'
      ServerIP: '192.168.1.10'
      HOSTNAME: 'pi-hole.lan'
      VIRTUAL_HOST: 'pi-hole.lan'
      SKIPGRAVITYONBOOT: 'yes'
      PIHOLE_DNS_DNS1: '127.0.0.1#5353'
      PIHOLE_DNS_DNS2: 'no'
    volumes:
       - 'pihole-etc:/etc/pihole'
       - 'pihole-dnsmasq:/etc/dnsmasq.d'
       - 'pihole-lighttpd:/etc/lighttpd'
       - 'pihole-log:/var/log'
       - './pihole_overwrite_resolv.conf:/etc/resolv.conf'
    network_mode: 'host'
    restart: 'unless-stopped'
    cap_add:
      - 'NET_ADMIN'
      - 'SYS_NICE'
    depends_on:
      - 'dnscrypt-proxy'

volumes:
  pihole-etc:
  pihole-dnsmasq:
  pihole-lighttpd:
  pihole-log:

pihole_overwrite_resolv.conf

search lan
nameserver 127.0.0.1
options ndots:0 edns0 single-request-reopen

Related to https://gist.github.com/kwilczynski/3f64f930d4d31d213e1a5550812d6194.

Related to https://gist.github.com/kwilczynski/eaa948c7fedab9908713ca50445dcc43.