Try it, you said, so I did, because I'm NOT happy with users that say AGH can do what pihole can't.
I setup an AGH, some basic configuration, nothing fancy, and defined a DNS Rewrite (it has that option). I defined the domain www.dogpile.com to be redirected to duckduckgo.com
this is what dig says, after saving.
dig @192.168.2.249 www.dogpile.com
; <<>> DiG 9.16.4 <<>> @192.168.2.249 www.dogpile.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11006
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.dogpile.com. IN A
;; ANSWER SECTION:
www.dogpile.com. 10 IN CNAME duckduckgo.com.
duckduckgo.com. 110 IN A 220.127.116.11
;; Query time: 7 msec
;; SERVER: 192.168.2.249#53(192.168.2.249)
;; WHEN: Sat Apr 17 19:02:35 Romance Daylight Time 2021
;; MSG SIZE rcvd: 85
Dig does return an IP address!
and this is what firefox says...
after hitting advanced and "accept the risk and continue", the duckduckgo page opened.
Doesn't look like something I want to do all day....
Now I tried NTP, using this tool
I defined another DNS rewrite, time.android.com -> pfsense.localdomain (NOT defined on AGH, but on the upstream, e.g. pihole)
Again, dig shows it is a simple CNAME, but the redirection works, there is actually an IP in the reply. The NTP tools shows correct results, the pihole query log shows a query for pfsense.localdomain.
In conclusion, the AGH feature works for some protocols, like NTP, but is useless to redirect HTTPS trafic. Looks like the AGH CNAME implementation doesn't have the requirement, the redirect domain needs to be defined on the local system, dnsmasq does...