I cannot recreate your observation:
hub.docker.com resolves correctly with my Pi-hole/unbound configuration.
Your debug log shows you are using Pi-hole's default BLOCKINGMODE, which would return 0.0.0.0 for blocked domains.
This indeed confirms that it is not Pi-hole providing that NXDOMAIN answer by blocking hub.docker.com or any of its CNAMEs.
This would suggest that Pi-hole is using the reply as provided by unbound.
You could check that by running your dig directly through unbound:
dig -p 5335 @127.0.0.1 hub.docker.com
Some observations from your debug log, unrelated to your issue (click for details)
*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
id type enabled group_ids domain date_added date_modified comment
----- ---- ------- --------- --------------- ------------------- ------------------- ---------------------
52 0 1 0 104.112.149.216 2022-10-14 00:11:10 2022-10-14 00:11:10 Whitelist(aliexpress)
Pi-hole is DNS filter - it is allowing or blocking domains, not IPs.
If you want to allow or block access to some or all of Aliexpress sites, you have to use the respective domain names.
You should remove that 104.112.149.216 entry via Pi-hole's Domain Management.
*** [ DIAGNOSING ]: contents of /etc
lrwxrwxrwx 1 root root 29 out 4 20:31 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
search 172.16.0.1 172.16.0.10
Rather than IP addresses,
By default, resolv.conf's search option would expect a single local search domain name, rather than IPs.
Your local search domain name should appear here (e.g. lan, home.arpa, fritz.box,...).