This is what I do, but with Unbound dns on opnsense with dns forwarding to my business cloudflare account which gives me additional filtering options.
Allows me to properly do dns caching and filtering in Unbound and then leverage cloudflare to do additional security threat filtering on top.
Then it’s just a matter of setting up a firewall rule to redirect any port 53 to the local Unbound dns and blocking all 853 traffic to ensure all iot devices aren’t using their own hard-coded dns.