scutil is only half the story, because some macOS lookups still go through mDNSResponder in ways that ignore or override that config, which leaves you debugging random misses and binary plist junk. At this point, unbound or dnsmasq is simpler.