opnsense + ctrld[0] + unbound works great and automatically upgrades upstream requests to DoH (etc.)
Was using NextDNS for a while, but stability and performance was a common issue. I like the idea of something like pihole, but ControlD is good, works anywhere, and is easy to manage.