Yup, you're correct.
OpenDNS has limited malicious/bad site blocking (they focus on long-lived stuff like botnets) and phishing protection.
Quad9 uses a bunch of vendors' threat intelligence feeds to block malicious and phishing sites.
Comodo is vague, but claim they use RBLs. They aren't RFC-compliant with regard to DNS TTLs. No idea whether they redirect on NXDOMAIN (I don't trust Comodo as a company, so I haven't used this svc)
Norton uses their own threat intelligence feeds to block phishing, malicious sites, etc, but last I checked, they redirect instead of returning NXDOMAIN, and partner with ask.com for that monetization stuff (yuck).