Pick an IP from any rfc based internal adress and sinkhole it in your setups this way you may send all unwanted traffic there.
There is quite some difference in behaviour from your client systems between returning NXDOMAIN and returning a valid
IP address that you then sinkhole. No matter if you DROP or REJECT it with a reply like HOST UNREACHABLE or even TCP RST.
I know that is a bug in those clients, but it is the situation we will have to live with, Microsoft is not going to change their
broken TCP just because it is more convenient to network administrators.