I run unbound too here. I love it that it takes wildcards to blacklist domains. I'm using big lists of domains to block and then I've got a whitelist that supercedes the blocked ones.

And I've got a little tool that takes:

    ayt7.ads.acme.com
    afi6.ads.acme.com
    foi5.ads.acme.com

and simplifies it to:

    ads.acme.com

Then I've got a script which generates variations of domains name I use. Say if I use:

    mybank.com (legit)

I block:

   myb4nk.com
   mibank.com
   mybank.{any other tld}

etc.

I generate hundreds of thousands of such variations: all blacklisted by unbound.

I did it after one of my bank sent me an example of a very convincing phishing site.

Been using such a setup since years now. A million blocklisted domains runs fine on an old Pi 3. I take it that on a more powerful computer unbound can deal with blocklist with millions if not tens of millions of domains (and, no, I haven't moved to whitelisting only).

I also block all unicode domains. I simply cannot access a domain name that use unicode characters in its name (and, no, I don't care).