I can't vouch for these since I haven't tried them yet, but it can apparently also be complemented by configuring your local DNS server to return NXDOMAIN for use-application-dns.net [1] and using a DoH proxy to protect upstream requests from snooping [2].
(It'll need to be a constantly-updating blocklist, but the DNS-adblock lists are also that already.)