Have you tried putting this behind a reverse proxy? This gives us a lot of features like rate-limiting and it should work well since it is https after all.
I put Unbound directly on the web to play with for now, having some quirks with haproxy. It has an hourly cron job that pre-caches the Cloudflare Top 20000 or so .com .net .org .is domains and some domains I use.