Network-wide bullshit-blocking setup with Blocky and Tailscale

I will use an Orange Pi 5 Plus, but any device, including single board computers, should work, as long as they can run the latest stable Debian or Armbian release.

Orange Pi 5 Plus

Unbound for recursive DNS resolver on 127.0.0.1:5335
Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
Tailscale with –accept-dns=false
unbound-resolveconf.service should be disabled, and /etc/resolv.conf should not be managed by any other service.

I just put the following contents into /etc/resolv.conf for the Orange Pi 5 Plus's local DNS resolution:

nameserver 9.9.9.9
nameserver 149.112.112.112

I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9.

An idea I have is to setup a cheap VPS on Vultr or something and run a public DNS resolver on it, but Quad9 is fine for now.

I have the Orange Pi 5 Plus's Tailnet IP address configured to be my Tailnet's global nameserver. This can be done through the Tailscale admin console under the DNS tab. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.

Blocky configuration

upstreams:  
  strategy: strict  
  groups:  
    default:  
      - 127.0.0.1:5335  
      - 9.9.9.9  
      - 149.112.112.112  

blocking:  
  denylists:  
    ads:  
      - <https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts>  
      - <https://adaway.org/hosts.txt>  
      - <https://v.firebog.net/hosts/AdguardDNS.txt>  
    suspicious:  
      - <https://v.firebog.net/hosts/static/w3kbl.txt>  
    tracking:  
      - <https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt>  
      - <https://v.firebog.net/hosts/Easyprivacy.txt>  
      - <https://v.firebog.net/hosts/Prigent-Ads.txt>  
    malicious:  
      - <http://phishing.mailscanner.info/phishing.bad.sites.conf>  
      - <https://v.firebog.net/hosts/Prigent-Crypto.txt>  
      - <https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts>  

  clientGroupsBlock:  
    default:  
      - ads  
      - suspicious  
      - tracking  
      - malicious  

ports:  
  dns: 53  
  http: 4000  

prometheus:  
  enable: yes  

caching:  
  minTime: 60s  
  maxItemsCount: 10000  
  prefetching: yes  
  prefetchMaxItemsCount: 2000  

queryLog:  
  type: csv-client  
  target: /home/jas/dns-query-logs  
  logRetentionDays: 5  
clientLookup:  
  upstream: 10.0.0.1  
  singleNameOrder:  
    - 1