For the Knot DNS resolver (used for instance on the Turris:
-- https://www.shaftinc.fr/escalade-traque-eulerian.html
policy.add(policy.suffix(policy.DENY, {todname('eulerian.net.')}))
policy.add(policy.suffix(policy.DENY, {todname('dnsdelegation.io.')}))
Note that it is not a good solution since (to quote the documentation) "The policy module currently only looks at whole DNS requests. The rules won’t be re-applied e.g. when following CNAMEs." So, it only blocks the initial QNAME while we want to block aliases. For further study.