We are in the process of switching from NXDOMAIN to the REFUSED status whenever we block a domain from our side.
This will avoid confusion between a blocked domain and a domain that does not exist and follow good industry practices.
If you are looking for the NXDOMAIN on your tests to verify that it got blocked, please make sure to check for both (NXDOMAIN or REFUSED).
In a few weeks, we will retire NXDOMAIN and only use REFUSED. Eg:
$ dig badexample.com @185.228.168.10
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> badexample.com @185.228.168.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 15146
thanks!