It looks like Unbound don't understand that if you add a 3. or 4. lvl domain it should be blocking the 2. lvl domain :(
grep -Ri 'microsoft.com' /var/lib/unbound/
/var/lib/unbound/someonewhocares.db:local-zone: "amer.hops.glbdns.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "apprep.smartscreen.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "himicrosoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "microsoft.com-it2-dye1.premi-fedelta-degli-utenti.us." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "microsoft.com-msoft52.info." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "reports.wes.df.telemetry.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "settings-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "statsfe2.ws.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "v10.vortex-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "vortex-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "wes.df.telemetry.microsoft.com." always_nxdomain
dig microsoft.com
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> +nocookie microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;microsoft.com. IN A
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 12 12:15:41 CEST 2019
;; MSG SIZE rcvd: 42
As shown unbound is not only blocking from tld.secondlelvel to fourth.level etc but also the other way from fourth to second level ๐ so the use of always_nxdomain value leads to unwanted issues.
Currently I have no idea how to solve this.....