I set up Unbound in my local network as a local DNS resolver. I noticed that it will not filter any private IP addresses in the resolved domains and forward any IP address that a domain resolves to.
In order to protect against DNS rebinding, I would like to make Unbound not return any private IP addresses from public domains to the clients, however I haven't found any information on that from the official documentation. Apparently dnsmasq does this protection by default.