diff --git a/etc/unbound/unbound.conf.d/blocklist.conf b/etc/unbound/unbound.conf.d/blocklist.conf
index 857316db..a90befee 100644
--- a/etc/unbound/unbound.conf.d/blocklist.conf
+++ b/etc/unbound/unbound.conf.d/blocklist.conf
@@ -2,3 +2,8 @@
 # this Unbound using DNS-over-TLS / DNSCrypt without the need for it to use
 # separate DNS.
 local-zone: "use-application-dns.net." always_nxdomain
+
+# I have something very aggressively attempting to resolve these two domains
+# and errorring on DNSSEC due to upstream resolver blocking them.
+local-zone: "google-analytics.com." always_nxdomain
+local-zone: "www.google-analytics.com." always_nxdomain