搜了一圈以后的方案（其实就是抄的）

环境：centos7.5

dnsmasq + dnscrypt-proxy(走dns over https负责解析墙外）+ dnsmasq-china-list（负责解析墙内）

1.dnscrypt-proxy安装

wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.42/dnscrypt-proxy-linux_x86_64-2.0.42.tar.gz
tar xf dnscrypt-proxy-linux_x86_64-2.0.42.tar.gz
cd linux-x86_64
mv example-dnscrypt-proxy.toml dnscrypt-proxy.toml
vim dnscrypt-proxy.toml
修改：
listen_addresses = ['127.0.0.1:35353'] #修改默认53端口为35353
dnscrypt_servers = false #关闭dnscrypt，只使用doh
修改完毕
./dnscrypt-proxy -service install
./dnscrypt-proxy -service start
systemctl status dnscrypt-proxy #check服务运行没有
nslookup tp.m-team.cc 127.0.0.1 -port=35353 #测试解析
or dig @127.0.0.1 -p 35353 tp.m-team.cc


2.dnsmasq修改

vim /etc/dnsmasq.conf
修改：
no-resolv
no-poll
no-hosts
server=127.0.0.1#35335
cache-size=4096
修改完毕
netstat -nautp #检查端口占用，发现已有一个dnsmasq进程
ps aux | grep dnsmasq #发现libvirt服务启动了dnsmasq
yum remove libvirt-daemon
systemctl enable dnsmasq #添加开机启动


3.dnsmasq-china-list

wget https://github.com/felixonmars/dnsmasq-china-list/blob/master/install.sh
bash install.sh
#检查/etc/dnsmasq.d/目录，有没有多出来的文件


4.查看dnsmasq解析日志

vim /etc/dnsmasq.conf
log-queries
log-facility=/var/log/dnsmasq.log
#查看日志，国内域名forward到114，国外域名forward到本机dnscrypt-proxy(doh)
May 23 21:11:56 dnsmasq[2626]: query[A] sina.com from 127.0.0.1
May 23 21:11:56 dnsmasq[2626]: forwarded sina.com to 180.76.76.76
May 23 21:11:56 dnsmasq[2626]: forwarded sina.com to 114.114.115.115
May 23 21:11:56 dnsmasq[2626]: forwarded sina.com to 114.114.114.114
May 23 21:11:56 dnsmasq[2626]: reply sina.com is 66.102.251.24
May 23 21:12:22 dnsmasq[2626]: query[A] youtube.com from 127.0.0.1
May 23 21:12:22 dnsmasq[2626]: forwarded youtube.com to 127.0.0.1
May 23 21:12:22 dnsmasq[2626]: reply youtube.com is 172.217.161.78


5.打开防火墙53端口

firewall-cmd --permanent --add-service=dns
systemctl restart firewalld


通过其他ip nslookup到192.168.1.202成功