I made a list for my firewall configuration (to block DoH requests directly from clients) for all the variants of the public servers excluding opendns, I will share it here with you guys so is a convenience list.
1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 Cloudflare No Filter
1.1.1.2 1.0.0.2 2606:4700:4700::1112 2606:4700:4700::1002 Cloudflare Malware Filter
1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003 Cloudflare Malware and Family Filter
8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Google No Filter, Tracked, supports ECS
9.9.9.9 149.112.112.9 149.112.112.112 2620:fe::9 2620:fe::fe:9 2620:fe::fe Quad9 Malware Filter
9.9.9.10 149.112.112.10 2620:fe::10 2620:fe::fe:10 Quad9 No Filter
9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 Quad9 Malware Filter and supports ECS
9.9.9.12 149.112.112.12 2620:fe::12 2620:fe::fe:12 Quad9 No Filter, supports ECS
The ECS I mentioned references a feature that supposedly helps get maximum CDN performance, Netflix I think have took issue with Cloudflare not passing it on, Cloudflare state they are in discussions for CDNs to do their optimisation without the privacy exposure. My personal opinion is I have noticed no bad performance from CDN based content with ECS data omitted.
In regards to performance, Quad9 is faster for me unencrypted vs Cloudflare, I tried Quad9 DNSCrypt which had awful glaring issues, latency all over the place including timeouts, whilst my personal DNSCrypt tunnel had no such issues. I then tried Cloudflare DoH which has been working really well, and that is my current configuration I use the .2 malware servers dual stack primary IPv4 with secondary IPv6, my DoH is done via DNSCrypt-proxy (in DoH mode) on my firewall, and the unbound DNS resolver uses the local DNSCrypt as its resolver. This so I still benefit from unbound performance features such as 'serve expired'.
If you guys can do it, DoH should easily be faster than DoT due to how the protocols work, but pfsense unbound doesnt natively support DoH so would need to use something like dnscrypt-proxy as an intermediate or main resolver.