I found that the problem is caused, in my case, by the firewall blocking all traffic to the DNS server (a.k.a. Pi-Hole) except for UDP port 53 (DNS port).
What happens is that, for the sites that take a long time to load (fully), the following happens:
The client sent a DNS request. Pi-Hole responds within milli seconds.
Then the client starts firing TCP requests to port 80 of the DNS server. This is blocked by the firewall. The client is waiting for the ACK message. This, of course, never comes. Then after a while the request times out and is resubmitted. After a few resubmissions the next requests are sent to the content provider (using the IP's provided by Pi-Hole). And then the page is loading further.
When I opened the firewall, the same page that took >3 mins to load is suddenly loading in 4 secs with Pi-Hole enabled.
Conclusion:
Some websites need port 80 on the DNS server open to acknowledge requests sent.
The above was, alas, not the whole story....There is more:
I have done some additional research as to why some websites are not loading or not loading fast. Also, why do I need to open TCP port 80/443 to my DNS server (Pi-Hole) for other webistes to work. I think I know why this is. I do, however, not know how to solve it.
What happens:
When a website loading on a client is asking the DNS for the IP Address of a blocked domain my Pi-Hole gives return the DNS server IP Address. See wireshark example below (my DNS server has IP 1.1.1.1): z-na.amazon-adsystem.com: type A, class IN, addr 1.1.1.1
Subsequently, my browser is going to launch all sorts of requests to port 80/443 (depending on the visiting website config) but, of course, directed to my DNS server. See example below (1.2.3.4 is my phone):
Internet Protocol Version 4, Src: 1.2.3.4, Dst: 1.1.1.1
Transmission Control Protocol, Src Port: 58531 (58531), Dst Port: http (80), Seq: 1, Ack: 1, Len: 496
GET /widgets/onejs?MarketPlace=US&adInstanceId=940dd04f-8090-4fa9-b381-46473d341c2c HTTP/1.1\r\n
Of course the DNS server does not know what to do with this request so what happens is that, again dependent on the visting site, the browser will go into endless re-transmissions. At some point the better designed webistes will time out. Others will wait forever and the webpage will not load.
The potential solution for this would be to have the DNS server return not its own IP address but 0.0.0.0.. This will lead to the immediate 'blackholing' of all further requests without retransmissions. My problem is: I do not know what to do to make that happen. It must be a setting in the /etc/dnsmasq.d/01-pi-hole.conf but which one???
Pi-hole installs lighttpd to provide the block page and a response to queries on port 80. This allows us to show a blocked page when someone visits a blocked domain over HTTP. This is preferable over 0.0.0.0 because that setting will result in errors in place of ads, instead of an empty element when using Pi-hole's block page.