DNS does not route properly to WAN NIC when dnscrypt is used

Question

I have a Windows 2003 server with AD integrated DNS. I'm trying to configure the server to make outgoing (forwarded) DNS requests through dnscrypt proxy instead of through the normal TCP/UDP 53.

I setup dnscrypt to run on 127.0.0.7 with the command dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.7. When I try to test the DNS connection with nslookup google.com 127.0.0.7, I get the error message [WARNING] sendto: [No route to host [WSAEHOSTUNREACH ]].

EDIT: Here are is the output of route print while dnscrypt was running 127.0.0.7.

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...4c 00 10 53 0c 4c ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Kerio WinRoute Firewall
0x3 ...00 16 76 c8 8c cc ...... Intel(R) 82566DC Gigabit Network Connection - Kerio WinRoute Firewall
0x10005 ...44 45 53 54 4f 53 ...... Kerio Virtual Network Adapter - Kerio WinRoute Firewall
===========================================================================
===========================================================================
        Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.2      1
            127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
          192.168.1.0    255.255.255.0      192.168.1.2      192.168.1.2     20
          192.168.1.2  255.255.255.255        127.0.0.1        127.0.0.1     20
        192.168.1.102  255.255.255.255      192.168.3.1      192.168.3.1      1
        192.168.1.255  255.255.255.255      192.168.1.2      192.168.1.2     20
          192.168.2.0    255.255.255.0      192.168.2.2      192.168.2.2     20
          192.168.2.2  255.255.255.255        127.0.0.1        127.0.0.1     20
        192.168.2.255  255.255.255.255      192.168.2.2      192.168.2.2     20
          192.168.3.0    255.255.255.0      192.168.3.1      192.168.3.1     20
          192.168.3.1  255.255.255.255        127.0.0.1        127.0.0.1     20
        192.168.3.255  255.255.255.255      192.168.3.1      192.168.3.1     20
            224.0.0.0        240.0.0.0      192.168.1.2      192.168.1.2     20
            224.0.0.0        240.0.0.0      192.168.2.2      192.168.2.2     20
            224.0.0.0        240.0.0.0      192.168.3.1      192.168.3.1     20
      255.255.255.255  255.255.255.255      192.168.1.2      192.168.1.2      1
      255.255.255.255  255.255.255.255      192.168.2.2      192.168.2.2      1
      255.255.255.255  255.255.255.255      192.168.3.1      192.168.3.1      1
    Default Gateway:       192.168.2.1
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
        192.168.1.102  255.255.255.255      192.168.3.1       1

As a test, I ran dnscrypt with 127.0.0.1 (which works) and compared the process monitor output of the two configurations. Here's a screenshot of the kdiff of the two.

Here are the original Process Monitor logs:

Command: dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.1

Time of Day Process Name    PID Operation   Path    Result  Detail
57:57.2 dnscrypt-proxy.exe  5492    UDP Receive 127.0.0.1:53 -> 127.0.0.1:2549  SUCCESS Length: 40
57:57.2 dnscrypt-proxy.exe  5492    UDP Send    192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 512
57:57.2 dnscrypt-proxy.exe  5492    UDP Send    192.168.2.2:2546 -> 192.168.2.1:0   SUCCESS Length: 554
57:57.3 dnscrypt-proxy.exe  5492    UDP Receive 192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 304
57:57.3 dnscrypt-proxy.exe  5492    UDP Send    127.0.0.1:53 -> 127.0.0.1:2549  SUCCESS Length: 110
57:57.3 dnscrypt-proxy.exe  5492    UDP Receive 127.0.0.1:53 -> 127.0.0.1:2550  SUCCESS Length: 42
57:57.3 dnscrypt-proxy.exe  5492    UDP Send    192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 512
57:57.3 dnscrypt-proxy.exe  5492    UDP Send    192.168.2.2:2546 -> 192.168.2.1:0   SUCCESS Length: 554
57:57.3 dnscrypt-proxy.exe  5492    UDP Receive 192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 368
57:57.3 dnscrypt-proxy.exe  5492    UDP Send    127.0.0.1:53 -> 127.0.0.1:2550  SUCCESS Length: 128
57:57.3 dnscrypt-proxy.exe  5492    UDP Receive 127.0.0.1:53 -> 127.0.0.1:2551  SUCCESS Length: 28
57:57.3 dnscrypt-proxy.exe  5492    UDP Send    192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 512
57:57.4 dnscrypt-proxy.exe  5492    UDP Receive 192.168.2.2:2546 -> 208.67.220.220:443  SUCCESS Length: 304
57:57.4 dnscrypt-proxy.exe  5492    UDP Send    127.0.0.1:53 -> 127.0.0.1:2551  SUCCESS Length: 135

and

Command: dnscrypt-proxy.exe -R opendns -L dnscrypt-resolvers.csv --local-address 127.0.0.7

Time of Day Process Name    PID Operation   Path    Result  Detail
59:40.5 dnscrypt-proxy.exe  5212    UDP Receive 127.0.0.7:53 -> 127.0.0.7:2562  SUCCESS Length: 40
59:40.5 dnscrypt-proxy.exe  5212    UDP Send    192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 512
59:40.6 dnscrypt-proxy.exe  5212    UDP Receive 192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 240
59:42.5 dnscrypt-proxy.exe  5212    UDP Receive 127.0.0.7:53 -> 127.0.0.7:2564  SUCCESS Length: 42
59:42.5 dnscrypt-proxy.exe  5212    UDP Send    192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 512
59:42.6 dnscrypt-proxy.exe  5212    UDP Receive 192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 240
59:44.5 dnscrypt-proxy.exe  5212    UDP Receive 127.0.0.7:53 -> 127.0.0.7:2565  SUCCESS Length: 28
59:44.5 dnscrypt-proxy.exe  5212    UDP Send    192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 512
59:44.6 dnscrypt-proxy.exe  5212    UDP Receive 192.168.2.2:2563 -> 208.67.220.220:443  SUCCESS Length: 240
59:44.6 dnscrypt-proxy.exe  5212    UDP Send    192.168.2.2:2563 -> 127.0.0.7:2565  SUCCESS Length: 135