unbound DNS without recursive

Question

I want to configure the unbound DNS for the domain e.g. domain.com in a way that it only answers for *.domain.com and rest of any query like gmail.com or hotmail.com are refused. I have following configuration but it doesn't work as desired.

server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
hide-identity: yes
hide-version: yes
access-control: 127.0.0.1/8 allow
access-control: 192.168.0.0/24 allow
access-control: 0.0.0.0/0 refuse_non_local

local-zone: "domain.com" transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1    #### local DNS server

So the idea is that the query comes on the live/public interface (IP a.b.c.d) for a zone domain.com, the query is forwarded to the local DNS 192.168.0.1 and then the answer is forwarded to a.b.c.d which is then sent to the client/internet. If the query arrives for lets say gmail.com on a.b.c.d then REFUSED should be answer like following

** server can't find gmail.com: REFUSED

I am not able to achieve REFUSED for the domains(e.g. gmail/hotmail) other than domain.com In a nut shell I can't get access-control: 0.0.0.0/0 refuse_non_local to work

Answer 1

librhnylmz solution worked. Following is working.

server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
extended-statistics: no
access-control: 0.0.0.0/0 allow
local-zone: "." refuse 
local-zone: "domain.com." transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1 ### Local DNS