I use my own public powerdns dnsdist and recurser/authoritave instances for DoH, DoT, DoQ, TCP and UDP now for ~3 years. Setup took some time, because i used bind, unbound and dnsmasq before. It's super stable and i can also use it on my mobile or legacy devices and as resolver in unbound, adguard/dnsproxy or just in my local resolve.conf.

Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?

I run unbound too here. I love it that it takes wildcards to blacklist domains. I'm using big lists of domains to block and then I've got a whitelist that supercedes the blocked ones.

And I've got a little tool that takes:

    ayt7.ads.acme.com
    afi6.ads.acme.com
    foi5.ads.acme.com

    ads.acme.com

    mybank.com (legit)

   myb4nk.com
   mibank.com
   mybank.{any other tld}

I generate hundreds of thousands of such variations: all blacklisted by unbound.

I did it after one of my bank sent me an example of a very convincing phishing site.

Been using such a setup since years now. A million blocklisted domains runs fine on an old Pi 3. I take it that on a more powerful computer unbound can deal with blocklist with millions if not tens of millions of domains (and, no, I haven't moved to whitelisting only).

I also block all unicode domains. I simply cannot access a domain name that use unicode characters in its name (and, no, I don't care).

Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too

> I pre-cache all the domains I use hourly via cron.

How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?