diff --git a/etc/unbound/unbound.conf.d/blocklist.conf b/etc/unbound/unbound.conf.d/blocklist.conf
new file mode 100644
index 00000000..3c327de6
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/blocklist.conf
@@ -0,0 +1,18 @@
+server:
+# Tells Firefox to not automatically use Cloudflare as TRR thus bypassing
+# local encrypted DNS.
+# Encrypted Client Hello (ECH) does require DoH, but that should be
+# configured separately in browser policy and/or autoconfig.js
+local-zone: "use-application-dns.net." always_nxdomain
+
+# One of the most prevalent trackers, also the most blocked one.
+local-zone: "google-analytics.com." always_refuse
+
+# Theoretically breaks nothing as clients should handle it.
+# https://aminda.eu/matrix/#why-do-you-use-matrix-uri-scheme-instead-of-matrixto
+# https://matrix.to/#/!KMbEUhVQHLwZHmwzKX:matrix.org/$jvB1PAivkIzRKQdlU_KFAtyPW_8Gv9o5tygud_09CRY?via=pikaviestin.fi&via=grin.hu&via=tchncs.de
+local-zone: "matrix.to." always_refuse
+
+# A lot of apps integrating Facebook in any form on mobile call this domain
+# in particular, likely websites too.
+local-zone: "graph.facebook.com." always_refuse