I have a similar situation. I need to use Sentry.io for work and would prefer that it be blocked on my network overall. I want to allow sentry.io, but block the domain that the trackers normally are served from. I can't do that as if I allow sentry.io that includes all subdomains, not just the root domain. And since the Allow List appears to trump the Block List, I can't simply add the subdomains to the blocklist either.

Unfortunately you cannot allow a root domain and try to deny/redirect one of its subdomains as currently the allowlist supersedes everything else. Whatever denylist/redirect entries you create, you will have to keep that allowlist precedence in mind.

Adding domain/subdomain exceptions to the allowlist/denylist would be a nice idea for NextDNS to add though, for more granularity