Why local domains are being blocked and giving an answer of SOA

You may notice that local domains are being blocked even when a device is in an Unfiltered Policy. This happens because the router is being asked to recursively resolve a domain that isn’t a valid public suffix.

We use this list as an authoritative list: publicsuffix.org

It’s a pro-privacy feature as otherwise your upstream connectivity obtains behavioural info that cannot be resolved anyway.