Right, I see!
I’ve found a similar problem in
https://www.reddit.com/r/pihole/comments/ixwgrb/other_aka_type_65_queries_from_ios14_devices_not/
So it seems that because iOS is using a secure DNS request in addition to its usual DNS, it is basically receiving two replies.
One which is the standard A type DNS request-response from pihole, and because pihole can’t decipher the secure DNS, a second secure DNS request-reply passed upstream to google.
So my question is thus changed:
Is there a function in pihole to block secure DNS, or do a local lookup? (Because I can’t stop it in iOS 
)
Thanks
Dan