Block subdomain of allowed parent domain

I have a similar situation. I need to use Sentry.io for work and would prefer that it be blocked on my network overall. I want to allow sentry.io, but block the domain that the trackers normally are served from. I can't do that as if I allow sentry.io that includes all subdomains, not just the root domain. And since the Allow List appears to trump the Block List, I can't simply add the subdomains to the blocklist either.

Unfortunately you cannot allow a root domain and try to deny/redirect one of its subdomains as currently the allowlist supersedes everything else. Whatever denylist/redirect entries you create, you will have to keep that allowlist precedence in mind.

Adding domain/subdomain exceptions to the allowlist/denylist would be a nice idea for NextDNS to add though, for more granularity

This drives me insane!

Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features.

I understand having the allow rule take precedence over other features and blocklist rules. But having it take precedence over an explicit deny rule makes no sense.

I have the same problem: I want to block google.com search for my daughter (she should use kagi.com instead) but she needs access to classroom.google.com for school...

I wonder whether the current limitation is technically imposed by how DNS works or a design decision by nextDNS?

Dear NextDNS, when you give a friend your aparment key (root domain) to feed your cat, you definitely don't want them being able to open your safebox and sex toys locker (specific subdomains) with it. Please reconsider.