diff --git a/etc/unbound/unbound.conf.d/blocklist-tld.conf b/etc/unbound/unbound.conf.d/blocklist-tld.conf
new file mode 100644
index 00000000..4f0e8710
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/blocklist-tld.conf
@@ -0,0 +1,8 @@
+server:
+
+# Firefox automatic DoH to unfiltered DNS is especially unwanted in this case
+local-zone: "use-application-dns.net." always_nxdomain
+
+# Very high abuse potential
+local-zone: "zip." always_refuse
+local-zone: "mov." always_refuse