Some domains like tpc.googlesyndication.com are resolving are configured as a CNAME record instead of a A/AAAA record. This results in Pi-hole to append the blackhole A/AAAA records rather than replacing the CNAME record.
Pi-hole only appends the A/AAAA records to the existing CNAME record resulting in resolving the domain to the CNAME and thus to a valid A/AAAA record in some cases.
Example host lookup output:
$ host tpc.googlesyndication.com
tpc.googlesyndication.com has address 0.0.0.0
tpc.googlesyndication.com has IPv6 address ::
tpc.googlesyndication.com is an alias for pagead-googlehosted.l.google.com.
The entry is found in the block lists. As already said, the blackhole A/AAAA records are returned.
Output of the command:
$ pihole -q -adlist tpc.googlesyndication.com
Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
tpc.googlesyndication.com
Match found in http://sysctl.org/cameleon/hosts:
tpc.googlesyndication.com
Match found in https://hosts-file.net/ad_servers.txt:
tpc.googlesyndication.com
tpc.googlesyndication.com.proxy.c9w.net
Pi-hole finds a match in the block lists and also successfully returns the NULL routing A/AAAA records. My issue with that is: Pi-hole still resolves the CNAME record to the original record which results in some requests being handled by the original host instead of being blackholed.
I searched a bit for the CNAME vs A/AAAA record issue and just found answers like "A CNAME record is not allowed to coexist with any other data".
I couldn't find any example entry for a failed lookup... weird.
BUT, while searching the pihole.log, I found another issue with CNAME records:
$ host adservice.google.de
adservice.google.de is an alias for pagead46.l.doubleclick.net.
pagead46.l.doubleclick.net has address 172.217.22.98
pagead46.l.doubleclick.net has IPv6 address ::
$ host pagead46.l.doubleclick.net
pagead46.l.doubleclick.net has address 0.0.0.0
pagead46.l.doubleclick.net has IPv6 address ::
$ pihole -q -adlist adservice.google.de
[i] No results found for adservice.google.de within the block lists
$ pihole -q -adlist pagead46.l.doubleclick.net
Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
pagead46.l.doubleclick.net
Match found in http://sysctl.org/cameleon/hosts:
pagead46.l.doubleclick.net
Match found in https://hosts-file.net/ad_servers.txt:
pagead46.l.doubleclick.net
And for that issue, I even have some entries in the pihole.log:
Jul 23 20:08:54 dnsmasq[516]: reply adservice.google.de is <CNAME>
Jul 23 20:08:54 dnsmasq[516]: reply pagead46.l.doubleclick.net is 172.217.16.162
Shouldn't Pi-hole also block adservice.google.de as this record references to a CNAME which is on the block list?
No. The domain you requested is not on the blocklist, and won't be blocked. If you want both domains blocked, then each must be on the blocklist. Filtering is applied on the initial query, not on every subsequent CNAME found. If the domain is not blocked, it clears Pi-Hole and is forwarded to your upstream DNS server for resolution.
You do have some additional options to block this type of traffic. If, for example, you wanted to block any domain with the word "doubleclick" or "pagead", you can do this with regex filters. Then you won't have to block individual domains as you encounter them.
Your regex could be as simple as * ^analytics?[-.] to block that word, or
^adse?rv(e(rs?)?|ices?)?[0-9]*[-.] to block more variations of words.
It's not only a TLD optimalisation in your list but these Google related sites are not blocked by your regex list. Maybe you can add them (this code is another than in that regex!).
Some remarks
1. (words|me|mob|sense|service|manager)s?
s in words can be removed
(|\.google)
must be (\.admob|\.google)
(in the complete regex above it is ok
this \.[a-z.]{2,7}$
maybe \.[a-z.]{2,8}$
because the extra .
I did a small test with apis.googletagmanager.com but it didn't work with the new regex.
In my opinion it must be (google-?(ad|tag|about|\.rm)(d|word|me|mob|sense|service|manager)s?(\.admob|\.google)?)\.[a-z.]{2,8}$