Is your HestiaCP DNS server querying the DNSBLs (like SpamHaus) directly or using a forwarder?
Because if your HestiaCP server forwards all DNS queries via some public DNS (e.g. Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1) or even some larger ISP (Hetzner), then the DNSBLs often won’t work.
Yes, but why block queries from public recursive name servers?
It’s simple – public recursive name servers act as an anonymizing service and enable large-scale users to hide behind them. Given the lack of transparency and inability to identify those who are abusing the free service, a difficult decision was made to add some public domain name servers to our access control list… ultimately blocking your query. – Successfully accessing Spamhaus' free blocklists using a public DNS - Spamhaus Technology
I’m using Bind9 and have instructed it to DIRECTLY query DNSBL domains (e.g. spamhaus, spamcop, uribl, dnswl etc) by overriding forwarders just for those few domains in /etc/bind/named.conf.local