Block subdomain of allowed parent domain

I have a similar situation. I need to use Sentry.io for work and would prefer that it be blocked on my network overall. I want to allow sentry.io, but block the domain that the trackers normally are served from. I can't do that as if I allow sentry.io that includes all subdomains, not just the root domain. And since the Allow List appears to trump the Block List, I can't simply add the subdomains to the blocklist either.

Unfortunately you cannot allow a root domain and try to deny/redirect one of its subdomains as currently the allowlist supersedes everything else. Whatever denylist/redirect entries you create, you will have to keep that allowlist precedence in mind.

Adding domain/subdomain exceptions to the allowlist/denylist would be a nice idea for NextDNS to add though, for more granularity

This drives me insane!

Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features.

I understand having the allow rule take precedence over other features and blocklist rules. But having it take precedence over an explicit deny rule makes no sense.

I have the same problem: I want to block google.com search for my daughter (she should use kagi.com instead) but she needs access to classroom.google.com for school...

I wonder whether the current limitation is technically imposed by how DNS works or a design decision by nextDNS?