Hi Moses, et al,
My recommendation build your own DNS for your internal name resolutions and a recursive server for external lookups. All can be done in one or 2 machines and that should resolve all your issues. Make sure that you assign the internal network users the one or two name servers via DHCP
Using DNScrypt means that you are prioritizing security over reliability. DNS uses UDP/53 and in some instances TCP/53 for packets higher than 512 bytes. The DNScrypt in my view is like putting rail wheels on your car to drive on the rail line just because there is traffic jam. You will definitely face a whole new set of problems that you can't deal or fix.
If you care about DNS security, you are better of enabling DNSSEC validation on your resolver compared to crossing over to a new protocol.
If you are still having problems with your ISP capturing all port 53 traffic, then setup a VPN on the recursive DNS server. That way the rest of your network is not interfered with by the VPN service. In addition, you get keep the DNS on its protocol lane, and benefit from both reliability and non-filtering by your ISP.
Hope that helps,
Michuki.