Agreed - a multi-level approach seems prudent indeed. I also have set up a deny-by-default 3rd party firewall configuration, so any "new and improved" telemetry is going to fail, and I'm going to know about it.
The DNS server I'm using is Dual DHCP DNS Server, available as an open source project here:
https://sourceforge.net/projects/dhcp-dns-server/
As you described, it can be run on the same system it's being used on. I had to tweak the source to be able to handle a large wildcard blacklist, but it was pretty straightforward to do. At some point I'll join the developer team for the package and submit my changes.
-Noel