No, the way DNS works is the limiter here. Let's oversimplify things a bit, so it gets more obvious why wildcard blacklisting does what it is doing: Let's assume we want to visit awesome.domain.de.
-
The root servers will be asked if they know
.deand us an address for a server that knows all domains that are provided under.de -
The
.deserver will know the host name and will return the address of the server that managesdomain.de -
This server will eventually be asked for the address of
awesome.domain.deand will give us the final address to which we will connect.
You see, DNS works from right to left. If we now wildcard block domain.de none of the above steps will happen. Instead, the Pi-hole will immediately answer its own IP (regardless of the subdomain).
I know that this might be inconvenient but rest assured that we had some sleepless nights, scratching our heads how to make it better and there seems to be no better way with the DNS resolver dnsmasq which we are using.