I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I'm leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.
Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.
All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.