Setting up a pi-hole DNS server for my wifi network was one of the best decisions I've ever made. Horrifying to see what percentage of traffic is on the ad server blacklist though...
I wanted to do that, but I had a look at Pi Hole and ran away screaming. Instead of proper packaging, they have a 3000 line install script they want you to pipe into Bash.
I went a saner route, and used dnsmasq and a blocklist[1] updated nightly via cron. Dnsmasq in turn queries Stubby that talks to uncensoreddns.org via DNS-over-TLS. Boom, DoT on my entire LAN.