A safe setting is once a day, you dont want to upset list maintainers by swamping thewir servers for updates.
By the way a quick update.
1 - I removed the DGA list which has 800k entries, I did some digging and found these are not verified live domains, they are generated domains from seed's that ransomware admin's were found to be used for domain generation, so its a sort of catch all list that is designed to preempt new domains coming on line and been unfiltered, but my unbound started having some issues, however I may readd it later due to what I found in issue #3 see below.
2 - I added a IP BL for some ransomware servers, this has to be added in the ipv4 section as its not DNS filtered, but firewall filtered. url for list is here, site says is updated every 5 mins but I at least for now set it to once a day.
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt3 - I discovered that unbound is restarted very frequently if it is set to host DHCP name records, basically if the static DHCP or leased DHCP boxes are ticked in dns resolver settings, pfsense seems to be coded badly in that whenever a DHCP record is updated it will restart unbound which flushes its cache and reloads dns lists, and the 800k list I had added caused unbound to be unresponsive for 30+ seconds when this happened.
Now regarding #3, on my particular network, I can see in the resolver logs, unbound was been restarted every 10-20 minutes which is way too frequent for my liking, so I copied someone else's suggestion which is to manually maintain a DHCP dns list which I load into unbound using the custom config box with an include line and keep those 2 boxes unticked, I am only maintaining for my static DHCP leases, I dont care about dns resolution on dynamic leases.
Just reread your post.
My cron is set to every 12 hours, but I have all this lists set to only update once a day. Setting the cron to run more often shouldnt be a big deal however it may (if you add lists at different start times) stagger updates which would mean more dns reloading.
Also on the DNSBL config page near the bottom is this section
"DNSBL IP Firewall Rule Settings"
I think but I am only guessing as I have not tried it that if you enable "List Action" setting and select deny, then it may add the resolved ip's to the firewall.
Just be aware that many domains can be hosted on a single ip, so lets say a ransomware dude is hosting his domain on a shared web hosting server mixed in with legal customers sharing the same ip, you could also block all those sites.