From e9aefd711ba38c38fd303b3a9ab5b863798ee1fa Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sat, 21 Nov 2020 12:13:55 +0200
Subject: [PATCH] blocklist.conf: refuse blocked instead of nxdomain

Only the Firefox DoH needs to be NXDOMAIN while REFUSE may be more
accurate for the rest.
---
 etc/unbound/unbound.conf.d/blocklist.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/etc/unbound/unbound.conf.d/blocklist.conf b/etc/unbound/unbound.conf.d/blocklist.conf
index 5f7287c6..40062fc6 100644
--- a/etc/unbound/unbound.conf.d/blocklist.conf
+++ b/etc/unbound/unbound.conf.d/blocklist.conf
@@ -7,10 +7,10 @@ local-zone: "use-application-dns.net." always_nxdomain
 
 # I have something very aggressively attempting to resolve Google Analytics
 # and errorring on DNSSEC due to upstream resolver blocking them.
-local-zone: "google-analytics.com." always_nxdomain
-local-zone: "ssl.google-analytics.com." always_nxdomain
-local-zone: "www.google-analytics.com." always_nxdomain
+local-zone: "google-analytics.com." always_refuse
+local-zone: "ssl.google-analytics.com." always_refuse
+local-zone: "www.google-analytics.com." always_refuse
 
 # On top NextDNS blocks after Google Analytics, while I am not entirely sure
 # blocking it is in my interests.
-local-zone: "incoming.telemetry.mozilla.org." always_nxdomain
+local-zone: "incoming.telemetry.mozilla.org." always_refuse