How do I configure banip for DoH?

Installing and Using OpenWrt
1

Hi all, hoping someone can help with banip and why it doesn't appear to be working

I installed banip on OpenWrt, enabled it and selected the DoH feed which I understand is the dibdot list.
I selected all external devices/interfaces on the 'General Settings' tab from banip in LuCI.
I am running the following test to see if DoH is being blocked (from VLAN br-lan.31):

curl --doh-url https://cloudflare-dns.com/dns-query https://www.example.com

but rather than seeing curl: (6) Couldn't resolve host name, instead I get the HTML from www.example.com
(have also tried curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' to test)

root@Liberator:~# cat /etc/config/banip

config banip 'global'
	option ban_enabled '1'
	option ban_debug '0'
	option ban_autodetect '0'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	option ban_fetchretry '5'
	option ban_nicelimit '0'
	option ban_filelimit '1024'
	option ban_deduplicate '1'
	option ban_nftpriority '-100'
	option ban_icmplimit '25'
	option ban_synlimit '10'
	option ban_udplimit '100'
	option ban_nftpolicy 'memory'
	option ban_nftretry '3'
	option ban_blockpolicy 'drop'
	option ban_nftloglevel 'warn'
	option ban_logprerouting '0'
	option ban_loginbound '0'
	option ban_logoutbound '0'
	option ban_loglimit '100'
	list ban_feed 'doh'
	option ban_autoallowlist '1'
	option ban_autoallowuplink 'subnet'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	list ban_trigger 'wan'
	option ban_fetchcmd 'curl'
	option ban_protov4 '1'
	option ban_protov6 '1'
	list ban_dev '@Proton1'
	list ban_dev '@Proton2'
	list ban_dev '@VPS'
	list ban_dev '@wan'
	list ban_dev '@wan6'
	list ban_ifv4 'Proton1'
	list ban_ifv4 'Proton2'
	list ban_ifv4 'VPS'
	list ban_ifv4 'wan'
	list ban_ifv6 'wan6'
    list ban_vlanblock `br-lan.31`

What am I missing?

EDIT: I may have figured this out, I had VLAN br-lan.31 configured via DHCP option 6, to use a pi-hole DNS server, so DNS requests were being fulfilled by that. When I removed option 6, so that br-lan.31 used OpenWrt as its resolver, my test was blocked as expected.
I already have the pi-hole set up to use Hagezi DoH blocklist for certain VLANs (not br-lan.31 currently). This is the method I will prefer, but I wanted to make sure nothing could leak via OpenWrt, hence using banip on OpenWrt as well.