Failed on DNSSEC check, EDNS Client Subnet (ECS) problem

[NoRainfallDuckDog]

Hello,

I changed the below:
File: dnscrypt-proxy.toml
bootstrap_resolvers = ['1.1.1.1:53', '1.0.0.1:53']
netprobe_address = '1.1.1.1:53'

I also changed the the below:
File: /etc/resolv.conf
nameserver 127.0.0.1

Checking Tool: dnscheck.tools

After using entry 127.0.0.1, the results from dnscheck.tools included as below:
Your DNS resolvers specify your IP subnet (ECS):

From the search on the internet, it says as below:
An IP subnet (ECS), which stands for "EDNS Client Subnet," is a DNS extension that allows a recursive DNS resolver to send a portion of the client's IP address information (subnet details) to the authoritative nameserver when making a DNS query, essentially revealing the client's network location to the server to optimize traffic routing and improve content delivery based on geographic proximity.

Since ECS reveals some information about the user's location, privacy concerns exist regarding the potential for tracking and profiling based on DNS queries.

The results also included a message that it was not able to perform the DNSSEC.

The check for 127.0.0.1 according to https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Checking worked.

So wanting to have DNSSEC pass the check and not wanting to see the message 'Your DNS resolvers specify your IP subnet (ECS):', I used 'nameserver 1.1.1.1' instead.

To do the check I stopped and paused the proxy and ran dnscheck.tools for 1.1.1.1, and it was able to resolve DNS names. So my questions are:
A. Will using 'nameserver 1.1.1.1' defeat the purpose of DNSCrypt-proxy?
B. Will using 'nameserver 1.1.1.1' still encrypt my DNS traffic?
C. Should I delete DNSCrypt-proxy and not use it; it's enough to specify 1.1.1.1 and 1.0.0.1 for IPv4?

[jedisct1]

bootstrap_resolvers = ['1.1.1.1:53', '1.0.0.1:53']
netprobe_address = '1.1.1.1:53'

This doesn't configure the DNS you will be using. It fact, if the intent is to use Cloudflare, you should put IP addresses that are not part of Cloudflare network.

Take the time to read the documentation, especially https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration

[NoRainfallDuckDog]

This works https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration-Sources

The problem now is the message 'Your DNS resolvers specify your IP subnet (ECS)'; it is still there. It lists the message and below that, it lists my ISP name and country and then below that it lists the subnet IP address as nnn.nn.nnn.0/24:
Your DNS resolvers specify your IP subnet (ECS):
ISP Name Country
nnn.nn.nnn.0/24

Is there a way to control and prevent this from getting around or delete whatever the settings are?

[lifenjoiner]

ECS is the behavior of a DNS resolver, according the explanation from https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5 .

1. That is the upstream server for dnscrypt-proxy, which you can not control. But, you can carefully choose which resolver/server to use. You can use the making a CHAOS query method to test it. For example, if you use "adguard-dns-unfiltered", it will have ECS.
2. Use the following option brutally, If you even don't want to leak your IP subset.
   

   dnscrypt-proxy/dnscrypt-proxy/example-dnscrypt-proxy.toml

   Lines 134 to 139 in 57c6993

   	## Add EDNS-client-subnet information to outgoing queries
   	##
   	## Multiple networks can be listed; they will be randomly chosen.
   	## These networks don't have to match your actual networks.
   	# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']

"No ECS" Vs "getting a nearby IP", you can not have both at the same time, in theory.
The resolver/server always know your IP.

RFC: https://www.rfc-editor.org/rfc/rfc7871#section-7.1