ok its cli setup 100% as there is no official pfsense package. This relies on the FreeBSD package.
change to a working directory e.g. /root
cd /root
download the FreeBSD 10 dnscrypt-proxy package
fetch http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.8.1.txz
install the package
pkg install dnscrypt-proxy-1.8.1.txz
test if there is no runtime errors, by running the binary with no arguments, should just see generic output telling you that syntax is needed
dnscrypt-proxy
now the next bit is dependent on your own config, there is various dnscrypt guides around the web, We assume you will be using opendns dnscrypt servers. I cannot paste mine as its using my private dns server.
So run this command which will use the built in database to connect to opendns (cisco)
dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco
you should see a warning that they do logging and also that opendns has no dnssec, but no other output aside from those 2 lines, you can verify if its running with this.
ps ax | grep dns
and look for this
dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco
if its running then you want it to startup auto on boot so the following 2 commands.
sysrc dnscrypt_proxy_enable=YES
sysrc dnscrypt_proxy_flags='--ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco'
Now it is done but isnt actually been used.
You have created a encrypted tunnel for dns between your router and opendns, but you still need to tell the router to use that tunnel, and in this case to use the tunnel you need to forward dns queries to 127.0.0.1 port 65053
I dont think pfsense supports custom ports in its GUI so in the dns resolver settings scroll down to where you see a box for custom options, and add this
forward-zone:
name: "."
forward-addr: 127.0.0.1@65053
now unbound will forward all internet queries to the tunnel after you save and apply the settings.
That is finally done.
Notes
If you ever update pfsense to 2.4, the binary will stop working, you will need to uninstall the package, and then install the FreeBSD 11 package.
Pfsense wont manage the package meaning if you want to keep up with new versions of dnscrypt-proxy you need to keep an eye on the FreeBSD repo for updates. An easy way is checking on freshports.org.