Looks like a dns request (tom.itv.com) is getting forwarded, then blocked, but I can't see the name in the query lists...
Nov 23 12:07:09 dnsmasq[28029]: query[A] tom.itv.com from 192.168.0.127
Nov 23 12:07:09 dnsmasq[28029]: **forwarded tom.itv.com to 1.0.0.1**
Nov 23 12:07:09 dnsmasq[28029]: reply tom.itv.com is <CNAME>
Nov 23 12:07:09 dnsmasq[28029]: reply itv-ads.aimatch.com is blocked during CNAME inspection
Nov 23 12:07:09 dnsmasq[28029]: **exactly blacklisted tom.itv.com is 0.0.0.0**
What name in particular are you looking for? The domain itself is not blocked, but it leads to CNAMES which may be blocked. If a domaing that is not whitelisted leads via CNAME to a blocked domain, the original domain request will be blocked.
It was odd that it was forwarded, then apparently blocked due to being blacklisted, but it's not in my blacklist so far as I can see (see bold text).
Nov 23 12:07:09 dnsmasq[28029]: **query[A] tom.itv.com from 192.168.0.127**
Nov 23 12:07:09 dnsmasq[28029]: **forwarded tom.itv.com to 1.0.0.1**
Nov 23 12:07:09 dnsmasq[28029]: reply tom.itv.com is
Nov 23 12:07:09 dnsmasq[28029]: reply itv-ads.aimatch.com is blocked during CNAME inspection
Nov 23 12:07:09 dnsmasq[28029]: **exactly blacklisted tom.itv.com is 0.0.0.0**
Here's the result of 'pihole -q tom.itv.com'
pihole -q tom.itv.com
[i] No results found for tom.itv.com within the block lists
The name I'm interested in is 'tom.itv.com' , not 'itv-ads.aimatch.com' which is in my blacklist:
Match found in exact blacklist
itv-ads.aimatch.com
From my original posts, it looks like 'tom.itv.com' is at first queried, then noted as blacklisted, but it is not in my blacklist:
[i] No results found for tom.itv.com within the block lists
The DNS record for tom.itv.com is not pointing to an IP address, but to a CNAME, i.e. yet another domain name or set of domain names.
Pi-hole's log correctly reflects that CNAME resolution.
However, Pi-hole is smart enough to also check whether a CNAME should be blocked, and thus deflects such CNAME cloaking attempts..
In your case, that applies to itv-ads.aimatch.com.
So Pi-hole's log is correctly reflecting what is happening.
I admit it can be tricky to understand that from multiple log lines.
Fortunately, that is quite a bit easier if you look at Pi-hole's UI.
(EDIT: Removed sample screenshot of previous Pi-hole version, as jfb's sample below is more up to date.)
This is what you see in the dnsmasq log, which prints out raw data from dnsmasq (the DNS engine running under the hood of Pi-hole).
As @Bucking_Horn noted, in our query log we have more flexibility to show the circumstances under which the domain was blocked, and for this domain the query log shows that the domain itself is not blocked,