Do you really mean that sys-firewall and qubes below doesn't have
access to internet? Or do you mean that you have broken DNS resolution?
You could easily check this by accessing a site by IP address rather
than by name from sys-firewall.
Usually, the NAT table rules in sys-net route DNS traffic outbound to
the dns servers set on sys-net (e.g. those given out by DHCP.)
While dnscrypt-proxy is running, look at the iptables rules in the NAT
and filter chains and see what is happening.