I used also a DNS Blacklist but point the DNS to a local IP address and the host just reject the TCP connection with TCP-RST. I think this is faster than redirecting to a webserver which sends back e.g. a white image 1x1 pixel, because for the TCP-RST just two packets and for the webserver at least three (or more if TLS is in use). But is this true? Is the client faster because it cache the image and don’t even make a request at all? And if this approach with NXDOMAIN even faster, because it cache the response from DNS locally?
Yes, using NXDOMAIN is a lot faster then 0.0.0.0 or 127.0.0.1 in the /etc/hosts file.
Some pages that I opened before (with 0.0.0.0 in /etc/hosts) loaded 10+ seconds. Now after change to NXDOMAIN with unbound(8) its 2-3 seconds and its loaded.
It really makes a difference for some pages.
Added UPDATE 1 with many improvements and alternatives to my solution.
Seems a bit similar to void-zone-tools1. (Not that this is a bad thing by any means!)
I do like that you used always_nxdomain (most of the time I just see empty block with static recommended) though! Great!