Please see the solution below from @PromoFaux that you can implement manually:
Let's say I've blacklisted .xyz with the following in /etc/dnsmasq.d/02-wildcards.conf:
address=/.xyz/192.168.1.253
That works, and I can no longer connect to anything on the xyz TLD. However, I know that I want to be able to access Alphabet's site (https://abc.xyz). In order to do this, I can either create another file (to keep things seperate (e.g /etc/dnsmasq.d/03-exceptions.conf) or add my exceptions to 02-wildcards.conf like so:
server=/abc.xyz/8.8.8.8
server=/abc.xyz/8.8.4.4 (where 8.8.8.8 and 8.8.4.4 are your chosen upstream DNS IPs)
So, to tie it all together, the entire contents of my additional config file (the name really doesn't matter, but they are read into dnsmasq in alphanumerical order):
pi@raspberrypi:~ $ cat /etc/dnsmasq.d/02-cust.conf
#Block Entire XYZ TLD
address=/.xyz/192.168.1.253
#Exceptions below:
#Alphabet:
server=/abc.xyz/8.8.8.8
server=/abc.xyz/8.8.4.4
remember to reload and restart dnsmasq
sudo service dnsmasq reload
sudo service dnsmasq restart