And do you use any kind of reference for determining which ranges/countries are wise to block or has this just been something you’ve evolved over time?

Currently, I have IPv4 only (will change end of year to dual stack), and to block AS13414 (NetName TWITTER-NETWORK) blocking 104.244.40.0/21 to block x.com is suffice. However, if you follow [1] you have a more complete blocklist. In a *BSD you can use cron and curl to update these lists based on if a change occurred, OPNsense allows the same in their webUI. In that vein, I also have Tor exit node block list (this is public data), I have a Censys (& Co) blocklist. You name it.

I don't use DNS-based in this instance (I do for example, for porn, cause I have children). I use a firewall-based one in OPNsense. PF (and therefore OPNsense) have a feature called anchors (alias in OPNsense) which basically allows you to use OOP to develop lists.

I'm pretty sure Linux like OpenWrt can do the same, and you can also use DNS-based blocklists. You can even outsource the hosting to e.g. NextDNS. Because these blocklists, whether firewall or DNS-based filtering, they do use some RAM especially. Back when I started w/this in early '00s this was an issue on my Soekris OpenBSD machine. Nowadays, I assign 8 GB RAM to the VM and call it a day.

[1] https://github.com/platformbuilds/TwitterIPLists