I run unbound too here. I love it that it takes wildcards to blacklist domains. I'm using big lists of domains to block and then I've got a whitelist that supercedes the blocked ones.
And I've got a little tool that takes:
ayt7.ads.acme.com
afi6.ads.acme.com
foi5.ads.acme.com
ads.acme.com
mybank.com (legit)
myb4nk.com
mibank.com
mybank.{any other tld}
I generate hundreds of thousands of such variations: all blacklisted by unbound.
I did it after one of my bank sent me an example of a very convincing phishing site.
Been using such a setup since years now. A million blocklisted domains runs fine on an old Pi 3. I take it that on a more powerful computer unbound can deal with blocklist with millions if not tens of millions of domains (and, no, I haven't moved to whitelisting only).
I also block all unicode domains. I simply cannot access a domain name that use unicode characters in its name (and, no, I don't care).
It sounds like we share some similar tactics. Some day you should make an article about your setup.
I love the dedication but isn't using a good password manager the much cleaner and robust way of fixing the bank phishing problem? Or using the app on your phone.