After upgrading to v5.0 the domain fonts.gstatic.com is blocked, which was never happening before. When I query the lists to find out which list is blocking it non is found. It is also not on my blacklist. Interestingly the reply column just contains '-' but on all other blocked entries '- (xx ms)'
Adding fonts.gstatic.com to the whitelist resolves to problem as a workaround.
Debug Token:
o780xl4e50
Does an exact match search bring up any lists? Pi-hole wouldn't know to block a domain unless it was on a list in some capacity.
No it doesn't (except for the whitelist now after adding it)
What is the output of the following:
grep fonts.gstatic.com /var/log/pihole.log | tail -n20
Jan 21 21:08:46 dnsmasq[25801]: reply fonts.gstatic.com is <CNAME>
Jan 21 21:11:18 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 21:11:18 dnsmasq[25801]: forwarded fonts.gstatic.com to 127.0.0.1
Jan 21 21:11:18 dnsmasq[25801]: reply fonts.gstatic.com is <CNAME>
Jan 21 21:21:12 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 21:21:12 dnsmasq[25801]: cached fonts.gstatic.com is <CNAME>
Jan 21 21:22:14 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 21:22:14 dnsmasq[25801]: cached fonts.gstatic.com is <CNAME>
Jan 21 21:44:05 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 21:44:05 dnsmasq[25801]: cached fonts.gstatic.com is <CNAME>
Jan 21 21:50:23 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 21:50:23 dnsmasq[25801]: cached fonts.gstatic.com is <CNAME>
Jan 21 22:02:18 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 22:02:18 dnsmasq[25801]: cached fonts.gstatic.com is <CNAME>
Jan 21 22:21:55 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 22:21:55 dnsmasq[25801]: forwarded fonts.gstatic.com to 127.0.0.1
Jan 21 22:21:55 dnsmasq[25801]: reply fonts.gstatic.com is <CNAME>
Jan 21 22:22:17 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 22:22:17 dnsmasq[25801]: forwarded fonts.gstatic.com to 127.0.0.1
Jan 21 22:22:17 dnsmasq[25801]: reply fonts.gstatic.com is <CNAME>
(Cave: older entries with domain on whitelist. I removed it, and reloaded the site to force a query)
Looks like the query is being forwarded to your upstream internal resolver, that resolver is showing that it's a CNAME. So it's not being immediately blocked by Pi-hole. This may be CNAME cloak blocking, in that the CNAME is for a domain that is blocked. Tailing the log without grep should show you if the CNAME value that is being returned is being blocked.
My upstream internal resolver is unbound, configured as described by pi-holes documentation.
Log without grep:
Jan 21 22:51:25 dnsmasq[25801]: query[A] fonts.gstatic.com from 10.0.1.136
Jan 21 22:51:25 dnsmasq[25801]: forwarded fonts.gstatic.com to 127.0.0.1
Jan 21 22:51:25 dnsmasq[25801]: validation result is INSECURE
Jan 21 22:51:25 dnsmasq[25801]: reply fonts.gstatic.com is
Jan 21 22:51:26 dnsmasq[25801]: query[A] aa.google.com from 10.0.1.136
Looks like the reply is empty.
Setting verbose level=2 in unbound.conf results in the log attached. unbound_log.txt (6.3 KB)
I'm experiencing the same issues with fonts.gstatic.com as well, but I'm not using unbound.
I'm using these DNS servers:
nslookup fonts.gstatic.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: fonts.gstatic.com
fonts.gstatic.com canonical name = gstaticadssl.l.google.com
Name: gstaticadssl.l.google.com
Address 1: 172.217.167.67
fonts.gstatic.com canonical name = gstaticadssl.l.google.com
Address 2: 2404:6800:4006:80a::2003
pihole -q gstaticadssl.l.google.com
Match found in https://v.firebog.net/hosts/static/w3kbl.txt:
gstaticadssl.l.google.com
Match found in https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt:
gstaticadssl.l.google.com
Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
gstaticadssl.l.google.com
The fact it is being blocked is expected behaviour, but the main issue here is that Pi-hole doesn't give any insight about which CNAME result caused the lookup to be blocked. The Web UI could stand to say something like "Blocked (gravity, CNAME)" and some way of being able to observe that it was the CNAME result of gstaticadssl.l.google.com that lead to it being blocked.
As Dan posted below, it looks like the visibility will be resolved in the very near future which is excellent to see! 
See Some domains are intermittently blocked even though they are on the whitelist - #15 by anon13884536
Thanks @WaLLy3K for the perfect explanation. Updated pihole to the latest version and now also seeing Blocked (CNAME).