Thanks to everybody, who replied. After some more reading and tinkering I've made the following observations:
The response code NXDOMAIN means: domain name did not resolve. In this case the search option becomes important. Whenever a domain name does not resolve, the client's resolver (at least in Linux) suffixes the original domain name with each item in the search list until the new domain name resolves. So this is regular behaviour and it explains the needless DNS queries. AdguardHome uses the response code NXDOMAIN to signal the client "this is a forbidden domain". For this signal "this is a forbidden domain" you can configure AdguardHome to use the IPv4 0.0.0.0 and the response code NOERROR. Now the (forbidden) domain is resolved without an error and the IPv4 of 0.0.0.0. So there's no need to use the search list and the needless DNS queries vanish. Thanks for reading and have a nice day. Dieter
