Result of the day is a script with which I can block source IPs from various cloud providers, from which I recently get a lot of DNS requests, on my resolvers.
Hopefully the traffic consumption goes down again because one of the instances this month already has about 1.3 TB (about 3 months ago still under 10 GB per month).
I rely on the IP lists that some providers publish and if there are none, I use the Maxmind GeoLite2-ASN. The bash script creates the blocks itself via nftables.