Usually DNS is not encrypted and unauthenticated by default. Some countries or provider may change the result of domain resolution.

Enable DNSCrypt

The following snippet will enable DNSCrypt and set it as the default system resolver.

{ # configuration.nix
  services.dnscrypt-proxy = {
    enable = true;
    # the official default resolver is unreliable from time to time
    # either use a different, trust-worthy one from here:
    #   https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv 
    # or setup your own.
    #resolverName = "cs-de";
  };
  networking.nameservers = ["127.0.0.1"];
}

DNSCrypt with custom resolver

At some point you want to run your own resolver for privacy/functionality/stability reasons. Setting up the dnscrypt-wrapper is straight forward in NixOS

Server Configuration

put this in dnscrypt-server.nix and import it your configuration.nix:

{ config, ... }:
let
  port = 15200;
in {
  services.dnscrypt-wrapper = {
    enable = true;
    address = "0.0.0.0";
    upstream.address = "8.8.8.8";
    providerName = "2.dnscrypt-cert.<your server name>";
    inherit port;
  };
  networking.firewall.allowedUDPPorts = [ port ];
}

Client Configuration

put this in dnscrypt-client.nix and import it your configuration.nix:

{ ... }:
let
  customResolver = {
    address = <your server ip>;
    port = 15200;
    name = "2.dnscrypt-cert.<your server name>";
    ## log into the server and run this command in /var/lib/dnscrypt-wrapper
    # dnscrypt-wrapper --show-provider-publickey --provider-publickey-file public.key
    key = "0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF";
  };
in {
  services.dnscrypt-proxy = {
    enable = true;
    inherit customResolver;
  };
  networking.extraResolvconfConf = ''
    name_servers='127.0.0.1'
  '';
}