Little of column A little of column B.

I use pihole on the LAN, then upstream is cloudflared translating DNS to DOH using NextDNS as the primary and Quad9 as the fallback.

Looking at the last 24hrs; the whole network has made 91k DNS requests, 14.5% of that being passed to the upstream (the rest is locally cached responses or blocked) so ~12.7k served by NextDNS. When/if that 300k limit is reached, cloudflared will just fallback to Quad9.

With this I get the blocking from NextDNS as well as whatever additional lists I want to use; plus pihole serves local only records for self-hosted services and fixed names for LAN devices (I find standard broadcasted hostnames unreliable at best).