Stop resolving blacklisted domains to prevent DNS level tracking

Hello NextDNS team and community,

When testing NextDNS with "interactsh", I discovered that every DNS query is sent to authoritative DNS servers, even if the domain (or its root) is blacklisted, the "blocking" is actually happening only during the response phase. In practice this means a known tracker or malicious site could for example spin up endless unique subdomains, force NextDNS to resolve them, and fingerprint or track users despite the blacklist.

Impact  

- Trackers bypass blocklists by querying unique random domains.  

- Users still leak DNS data for every query, exposing browsing habits.  

- This undermines the core privacy promise of NextDNS.

Proposed solution  

1. Default to checking blocklists before sending any query upstream.  

2. Offer an “Early Block” toggle in settings for users who need maximum privacy if they're some adverse impacts on performance from this.

Please upvote if you agree this change would greatly improve privacy and make NextDNS more robust against active trackers. Thanks for considering!