sappy_junior728 Why use the blocklists on your device instead of using something like NextDNS?
Winston why'd you go with rethinkDNS? How do you have it configured?
Since NextDNS is a cloud-based service, it's trusting another party with plaintext data (DNS queries) that you don't have to. I have nothing against them specifically, but I'd rather have the blocklists locally and the combined connection + DNS logs on device so I can troubleshoot any issues (like a domain in the downloaded blocklist that I want to be able to access - or the other way around).
Also, if you're using a VPN, you might as well use your VPN provider's DNS resolver instead of a 3rd party one because that's also adding to how many parties can profile your traffic. The VPN provider can already see the hostname of the server you're connecting to in the TLS SNI so 3rd party DoH/DoT doesn't get you much unless you're only visiting sites that support Encrypted Client Hello (ECH) - which is very very few.
Combine the fact that RethinkDNS has a built-in Wireguard client and that the firewall & DNS blocking is done within the VPN tunnel and it's hard to find a competing option. Especially because on Android, a firewall and DNSBL app has to have an active VPN interface enabled in the system settings, it would be hard (if not impossible according to my understanding) to have a separate VPN app active at the same time.
As for my configuration, I won't list all the settings since there's a lot but the main ones are "block all app connectivity by default" and then I whitelist them as needed (this isn't nearly as strong as the GOS network permission but just an additional layer) and the other settings are "block connections attempting to circumvent local DNS" and "block unencrypted HTTP traffic".