Just installed OpenDNS DNSCrypt for windows. I'm confused by an option that is automatically selected when you install DNSCrypt: "Fall back to insecure DNS"? What exactly is that? By the sound of it sounds like your dns queries are unencrypted. Is it misleading? Yet it says my status is "Protected". Can anyone clarify? Also i assume dns is usually sent with UDP Packets? There is an option "DNSCrypt over TCP / 443 (Slower)" which i assume just means DNS will be sent over SSL which would be sent over SSL but if DNSCrypt actually works and is encrypted why would you need it? For reference: Enable OpenDNS: Checked Enable DNSCrypt: Checked DNS over TCP / 443 (slower): Unchecked Fall back to insecure DNS: Checked Status shows "Protected" --which are all defaults.
If for whatever reason DNSCrypt is unable to make a successful query with encryption enabled it will resort to sending an unencrypted request to the OpenDNS servers. This is to prevent your internet from simply falling over dead should DNSCrypt stop functioning. If you have this option enabled then DNS queries won't fail if they aren't sent successfully while encrypted (For whatever reason) and will instead resort to a good-ole unencrypted DNS request. This shouldn't happen most of the time though I myself have disabled the option. Keep in mind DNSCrypt is still new and this option helps stability greatly (In fact I just fought with DNSCrypt a moment ago when it simply stopped handling DNS queries) DNS is usually sent of UDP Port 53. This is great but firewalls and other security programs can occasionally cause problems with requests. This is why the above option exists, port 443 isn't going to be as heavily restricted (since its used for secure HTTP) and may resolve the problems at the cost of speed. I generally disable "Fall back to insecure DNS" as I prefer security over stability but I have encountered issues with DNSCrypt which I've had to solve on my own. All your answers could be found here: https://www.opendns.com/technology/dnscrypt
Don't use the "fallback to insecure" option. If you care about security, don't use the UI at all. (this also applies to the Mac UI).