What is the proper firewall rule(s) to use dnscrypt-proxy?

[*Null* **]

Good day,

I have dnscrypt-proxy working in sys-net only. But I am stuck on how to forward dns requests moving from sys firewall and the vms behind it so that sys-net can route them out via the proxy.

I only have dnscrypt-proxy running, it is not combined with unbound or dnsmasq.

The firewall rule in sys-firewall is 

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    1    69 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1           udp dpt:53 to:10.139.1.1
    0     0 DNAT        tcp   --  *      *       0.0.0.0/0            10.139.1.1           tcp dpt:53 to:10.139.1.1
    0     0 DNAT        udp  --  *      *       0.0.0.0/0            10.139.1.2           udp dpt:53 to:10.139.1.2
    0     0 DNAT        tcp   --  *      *       0.0.0.0/0            10.139.1.2           tcp dpt:53 to:10.139.1.2

and in sys-net it is

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination        
   16   960 DNAT       udp   --  *      *       0.0.0.0/0            10.139.1.1           udp dpt:53 to:127.0.0.1
    0        0 DNAT       tcp    --  *      *       0.0.0.0/0            10.139.1.1           tcp dpt:53 to:127.0.0.1
   14   840 DNAT       udp   --  *      *       0.0.0.0/0            10.139.1.2           udp dpt:53 to:127.0.0.1
    0        0 DNAT       tcp    --  *      *       0.0.0.0/0            10.139.1.2           tcp dpt:53 to:127.0.0.1

My firewall routing is self taught and not great but from the looks of it dns requests from sys-firewall are being forwared to sys-net on 10.139.1.1 which is receiving them and forwarding them to 127.0.0.1 which is what dnscrypt is using. Yet with it running I cannot resolve any dns outside of sys-net.

thanks in advance