Nice looking router! I haven’t seen much DrayTek gear in a long time, but that looks like a good bit of kit. I’m not suggesting you do this, but during the presentation I mentioned that it is possible to run AdGuard Home directly on certain routers, and I suspect the Vigor 2927 is one of them. There’s a MIPS build of AGH and the router looks powerful enough to handle it. It may require popping the case off and getting access to a serial interface. Brought up here for the sake of completeness only, and it’s probably something to file away for future tinkering potential. (Or bring it to a HLB meet one night and we’ll get the tamper proof screwdriver bits out and do some tampering 
).
Awesome work! Sounds like you’ve essentially done what @kangie was talking about in the Cert Management thread, and what I left out of the presentation last week to try and limit the scope and presentation time. Blocking those direct requests is good, but if you haven’t done so already, you could use NAT to redirect those requests back to your Pi-Hole instead of blocking them outright. Just make sure you’re not forwarding requests from your Pi-Hole to your Pi-Hole to your Pi-Hole to your Pi-Hole to your Pi-Hole… 
IPv6 can be a bit too clever for its own good in this regard. Your ISP is probably assigning a prefix to you via DHCPv6 Prefix Delegation and your own router dishing out IPv6 addresses via RAs. Those IPv6 DNS servers can come automatically from your ISP and will be subsequently pushed out to your LAN via the RAs unless you explicitly tell your router not to do that. In MikroTik land it’s use-peer-dns=no, on Ubiquiti EdgeRouters it’s no-dns, and there’ll be a setting in the DrayTek IPv6 config somewhere along those lines - essentially “Ignore the DNS servers being assigned by the ISP and DHCPv6/PD, and use the ones I put in your config”. Happy to have a dig and see if I can find it in their docs and/or chat to you about it at the next meet if it’s causing problems.
Nothing wrong with this approach, but you could save yourself the couple of bucks for a premium NextDNS plan without increasing the TTL/cache on the Pi-Hole. You’re doubling up by having your own Pi-Hole on your own network with its own blocklists which is forwarding your DNS queries to the resolvers at NextDNS to check against their blocklists (which are probably identical or very similar to the ones already in your Pi-Hole). If you see that the Pi-Hole is blocking 30% of your requests and that NextDNS is blocking substantially less than <30%, then that could be an indication that you’re “doubling up”. The blockable requests are already being filtered out by Pi-Hole, and only the legitimate/desired DNS queries are ever making to NextDNS anyway. If the stats on Pi-Hole and NextDNS stay around 30%, it could be a sign that some of your DNS queries are “leaking” around the Pi-Hole (unlikely, by the sounds of it), or that the blocklists at Pi-Hole and NextDNS are different enough to have queries making it past the Pi-Hole and being blocked by a separate blocklist at NextDNS (more likely). If it’s the latter, throw some more block lists into the Pi-Hole and give it ~24 hours before looking again. (Edit: NextDNS will give you figures on which blocklists are blocking the most domains under Analytics > Blocked Reasons. Load the top handful of blocklists into your Pi-Hole and rinse and repeat.)
Personal preference only, but I’d suggest that if you’re running a stable and well configured Pi-Hole then that’ll be suitable for your clients at home (e.g., those Chromecast and Firestick devices, as well as your devices that always or almost always stay home), and that Pi-Hole uses another upstream resolver (e.g., your ISP, or 1.1.1.2 or 9.9.9.9, etc.). Then, NextDNS only gets applied individually to devices such as your phone which will frequently be outside your local network (and therefore away from the Pi-Hole), which will give you access to blocklists/logging/etc. without the Pi-Hole and will probably keep you under the 300,000 limit at NextDNS. Use that $3 on other homelabbing ventures such as a cheap VPS 
.
Happy to present 2 DNS 2 Furious if there’s interest. Plenty more to cover such as DNSSEC/DoH/DoT, IPv6, RDNS, self-hosting authoritative servers, firewalls, and so on. It’s an interesting area to explore, but I’m also mindful of not having our group sit through multiple torturous multi-hour sessions on nothing but DNS .