Is the DNSCrypt running inside the Kamoj Add-On only going to resolve things initiated FROM the R9000, or is there a way to have it act as a DNS Server of its own?
I cannot answer for an R9000 in AP mode. But an R7800 acts as follows:
with DNSCrypt enabled via Kamoj:
clients who are configured to use the router as DNS (for instance via DHCP), send their DNS queries to router IP via port 53.
dnsmasq on the router intercepts the request and forwards it to DNSCrypt
DNSCrypt sends the request to one of the configured DNSCrypt servers. (if not on any configured blacklist).
Once the answer comes in, dnsmasq sends it to client.
Router itself (for instance in SSH session) uses the DNS servers that are configured in /etc/resolv.conf
So if you want your router to also use DNSCrypt for DNS lookups, then you need to change "Internet Setup" and manually specified your router IP as the only DNS server.
Risk of this approach: The moment you disable DNScrypt, your DNS breaks. dnsmasq will then try to resolve via itself, causing a loop.
Also, afaik, by default, dnsmasq (and thus DNSCrypt) is disabled when the router is in AP mode. (at least it is on R7800).
So you would have to alter some configuration files in order for dnsmasq (and maybe DNScrypt) to be started when router is in AP mode.
(probably /etc/init.d/dnsmasq)
And I don't know if you can specify the DNS server via GUI, if you are in AP mode.