apologies for the noise. Some searching found the answer:
create a file /etc/unbound/local.d/block_bad.conf
with:
local-zone: "use-application-dns.net" always_nxdomain
You can also add:
harden-below-nxdomain: yes
if you want belt-and-braces.
save that and restart unbound.