Please explain: Difference in blocking IPv4 and IPv6?

Sorry for not having had the time to look into this in enough details so far, here comes the explanation for what you're seeing:

brave-browser-apt-release.s3.brave.com

  • A blocked: The A record is a CNAME. FTL receives the CNAME, walks it and finds a domain that matches one of your regex filters. This is highlighted by the CNAME response below the Blocked status.
  • AAAA green: There is no AAAA (IPv6 address) record available for this domain. FTL forwards the domain, finds this result and sends it to the user.
dig A brave-browser-apt-release.s3.brave.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> A brave-browser-apt-release.s3.brave.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31504
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;brave-browser-apt-release.s3.brave.com.	IN A

;; ANSWER SECTION:
brave-browser-apt-release.s3.brave.com.	3530 IN	CNAME u2.shared.global.fastly.net.
u2.shared.global.fastly.net. 3530 IN	A	151.101.114.217

;; AUTHORITY SECTION:
fastly.net.		7130	IN	NS	ns1.fastly.net.
fastly.net.		7130	IN	NS	ns2.fastly.net.
fastly.net.		7130	IN	NS	ns3.fastly.net.
fastly.net.		7130	IN	NS	ns4.fastly.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Jan 29 07:14:59 CET 2020
;; MSG SIZE  rcvd: 196
dig AAAA brave-browser-apt-release.s3.brave.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA brave-browser-apt-release.s3.brave.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45674
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;brave-browser-apt-release.s3.brave.com.	IN AAAA

;; ANSWER SECTION:
brave-browser-apt-release.s3.brave.com.	3559 IN	CNAME u2.shared.global.fastly.net.

;; AUTHORITY SECTION:
fastly.net.		3559	IN	SOA	ns1.fastly.net. hostmaster.fastly.com. 2017052201 3600 600 604800 30

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Jan 29 07:14:30 CET 2020
;; MSG SIZE  rcvd: 166

www.msn.com

It is slightly different here, there are two CNAMES involved (www.msn.com -> www-msn-com.a-0003.a-msedge.net -> a-0003.a-msedge.net). Again, the last CNAME does not have an AAAA record in it. It's not yet clear to me why you're seeing what you're seeing.

dig A www.msn.com
 <<>> DiG 9.10.3-P4-Raspbian <<>> A www.msn.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5352
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.msn.com.			IN	A

;; ANSWER SECTION:
www.msn.com.		3599	IN	CNAME	www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 3600 IN CNAME	a-0003.a-msedge.net.
a-0003.a-msedge.net.	3599	IN	A	204.79.197.203

;; Query time: 224 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Jan 29 07:20:13 CET 2020
;; MSG SIZE  rcvd: 115
dig AAAA www.msn.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA www.msn.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28448
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.msn.com. IN AAAA

;; ANSWER SECTION:
www.msn.com. 3596 IN CNAME www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 3597 IN CNAME a-0003.a-msedge.net.

;; AUTHORITY SECTION:
a-msedge.net. 3600 IN SOA ns1.a-msedge.net. msnhst.microsoft.com. 2016092901 1800 900 2419200 240

;; Query time: 43 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Jan 29 07:20:16 CET 2020
;; MSG SIZE rcvd: 156

@jpgpi250 Could you please enable query debug logging as described in my post from 2 hours ago? It will help us identify what is going on here and if there is a bug that needs to be fixed or if there is something else on the web interface we can improve on.

Not sure what you mean exactly. Are you asking whether these queries were made by FTL itself for CNAME inspection? If this is your question, then the answer is No. Firstly, CNAME checking does not trigger new queries, secondly, they were made by a different client. I cannot say why your client made two AAAA requests. That's up to it.

I'm working on showing the domain that was the actual blocking reason in case of CNAME blocking (also on the web interface), however, this may take a day or two until I find enough time to implement and test it. It's more changes than one would expect.

Done.
Opened a new tab (Edge browser) and typed www.msn.com -> page could NOT be displayed (blocked, as far as the browser is concerned)

In the web interface, query log:

Relevant content of the FTL log:

[2020-01-29 09:21:53.985 607] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 3941, FTL 10090, src/dnsmasq/forward.c:1571)
[2020-01-29 09:21:53.985 607] www.msn.com is not known
[2020-01-29 09:21:53.987 607] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 3941, src/dnsmasq/forward.c:566)
[2020-01-29 09:21:53.987 607] www.msn.com is known as not to be blocked
[2020-01-29 09:21:53.987 607] CNAME www.msn.com
[2020-01-29 09:21:53.987 607] **** got reply www.msn.com is (CNAME) (ID 3941, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:53.988 607] www-msn-com.a-0003.a-msedge.net is not known
[2020-01-29 09:21:53.988 607] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-29 09:21:53.988 607] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 3941, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:53.989 607] a-0003.a-msedge.net is not known
[2020-01-29 09:21:53.989 607] Blocking a-0003.a-msedge.net as domain is gravity blocked
[2020-01-29 09:21:53.989 607] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-29 09:21:53.990 607] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 3942, FTL 10091, src/dnsmasq/forward.c:1571)
[2020-01-29 09:21:53.990 607] www.msn.com is known as not to be blocked
[2020-01-29 09:21:53.990 607] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 3942, src/dnsmasq/forward.c:566)
[2020-01-29 09:21:53.991 607] www.msn.com is known as not to be blocked
[2020-01-29 09:21:53.991 607] CNAME www.msn.com
[2020-01-29 09:21:53.991 607] **** got reply www.msn.com is (CNAME) (ID 3942, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:53.991 607] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-29 09:21:53.991 607] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-29 09:21:53.991 607] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 3942, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:53.992 607] **** got reply a-0003.a-msedge.net is (NODATA) (ID 3942, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:54.377 607] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 3943, FTL 10092, src/dnsmasq/forward.c:1571)
[2020-01-29 09:21:54.377 607] www.msn.com is known as not to be blocked
[2020-01-29 09:21:54.378 607] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 3943, src/dnsmasq/forward.c:566)
[2020-01-29 09:21:54.378 607] www.msn.com is known as not to be blocked
[2020-01-29 09:21:54.378 607] CNAME www.msn.com
[2020-01-29 09:21:54.378 607] **** got reply www.msn.com is (CNAME) (ID 3943, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:54.379 607] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-29 09:21:54.379 607] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-29 09:21:54.379 607] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 3943, src/dnsmasq/cache.c:487)
[2020-01-29 09:21:54.379 607] **** got reply a-0003.a-msedge.net is (NODATA) (ID 3943, src/dnsmasq/cache.c:487)

Would be a nice solution. Thanks.

Found another one


´´´
pihole -q ctldl.windowsupdate.com
[i] No results found for ctldl.windowsupdate.com within the block lists

Isn't this the same as my example (see also explanation of @DL6ER)?
My example blocked by regex this one by gravity.

I just want to point out it isn't related to a specific domain name, the problem occurs sometimes (I've been looking for examples all day), different domains, NOT very often.

First version available through

pihole checkout ftl new/CNAME_inspection_details
pihole checkout web new/CNAME_inspection_details

How the domain is shown can surely be discussed, I'm not a big fan of putting it in parentheses as shown here.

1 Like

Concerning www.msn.com: Not sure why I haven't noticed this before, but the reason for the difference here is that the last element of the CNAME chain ( a-0003.a-msedge.net) comes back empty (NODATA) leading to us skipping the analysis of this step. As there is nothing that could be blocked (as there is no content), there is also no need to analyze this last step.

Concerning ctldl.windowsupdate.com: I kindly ask for the pihole-FTL.log excerpt. My standard blocking list does not contain anything that would block anything here.

I can't duplicate this. As I mentioned (pihole -q) I also have no gravity entry for this domain. Only the screenshot shows it has been blocked once, when I try this from a browser, all entries for the domain now show OK (forwarded), however, my screenshot shows it did happened at least once. The lookup is triggered by windows update (background service), NOT something I can control.

Did FTL still run in debug mode at this time? If so, you can just look for the time and extract the relevant lines from the log.

Unfortunately NO, I only activate this when I really need to.

1 Like

No worries, when you want, you can try the two new branches. They will add the domain to the Query Log on the web so you can get the information even when you're not in debug mode.

I'm now on beta5, only got 3 FTL updates the last few days.

When I go to a new branch 'new/CNAME_inspection_details', can I go back to the Beta5 branch, after I'm done testing OR do I need to setup from scratch again (etcher v4.3.2 image)?

Yes. It's fully backwards compatible. The changes will be merged into the beta at some point.

Works as in the picture.

1 Like

installed...

opened in browser (edge) -> blocked (can't reach this page).
result:

and again pihole FTL query debug enabled:

[2020-01-30 16:08:15.164 9241] FTL_db warn: STATUS should be within [0,8] but is 9
[2020-01-30 16:08:15.164 9241] FTL_db warn: STATUS should be within [0,8] but is 9
[2020-01-30 16:08:15.164 9241] FTL_db warn: STATUS should be within [0,8] but is 9
[2020-01-30 16:08:15.165 9241] FTL_db warn: STATUS should be within [0,8] but is 9
[2020-01-30 16:08:15.165 9241] FTL_db warn: STATUS should be within [0,8] but is 9
[2020-01-30 16:09:06.759 9243] Compiled 1 whitelist and 20 blacklist regex filters in 8.8 msec
[2020-01-30 16:09:06.761 9243] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 1, FTL 9306, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.762 9243] www.msn.com is not known
[2020-01-30 16:09:06.763 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 1, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.764 9243] **** forwarded www.msn.com to 127.10.10.2 (ID 1, src/dnsmasq/forward.c:558)
[2020-01-30 16:09:06.764 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.764 9243] CNAME www.msn.com
[2020-01-30 16:09:06.765 9243] **** got reply www.msn.com is (CNAME) (ID 1, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.765 9243] www-msn-com.a-0003.a-msedge.net is not known
[2020-01-30 16:09:06.765 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.766 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 1, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.766 9243] a-0003.a-msedge.net is not known
[2020-01-30 16:09:06.766 9243] Blocking a-0003.a-msedge.net as domain is gravity blocked
[2020-01-30 16:09:06.766 9243] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-30 16:09:06.767 9243] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 2, FTL 9307, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.767 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.767 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 2, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.768 9243] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 3, FTL 9308, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.768 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.768 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 3, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.769 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.769 9243] CNAME www.msn.com
[2020-01-30 16:09:06.769 9243] **** got reply www.msn.com is (CNAME) (ID 2, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.769 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.769 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.769 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 2, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.770 9243] **** got reply a-0003.a-msedge.net is (NODATA) (ID 2, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.770 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.770 9243] CNAME www.msn.com
[2020-01-30 16:09:06.770 9243] **** got reply www.msn.com is (CNAME) (ID 3, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.770 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.770 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.771 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 3, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.771 9243] a-0003.a-msedge.net is known as gravity blocked
[2020-01-30 16:09:06.771 9243] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-30 16:09:06.771 9243] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 4, FTL 9309, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.771 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.772 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 4, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.772 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.772 9243] CNAME www.msn.com
[2020-01-30 16:09:06.773 9243] **** got reply www.msn.com is (CNAME) (ID 4, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.773 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.773 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.773 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 4, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.773 9243] **** got reply a-0003.a-msedge.net is (NODATA) (ID 4, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.774 9243] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 5, FTL 9310, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.774 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.774 9243] **** got cache answer for www.msn.com /  / <unknown> (ID 5, src/dnsmasq/rfc1035.c:1714)
[2020-01-30 16:09:06.774 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 5, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.775 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.775 9243] CNAME www.msn.com
[2020-01-30 16:09:06.775 9243] **** got reply www.msn.com is (CNAME) (ID 5, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.775 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.775 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.776 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 5, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.776 9243] a-0003.a-msedge.net is known as gravity blocked
[2020-01-30 16:09:06.776 9243] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-30 16:09:06.776 9243] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 6, FTL 9311, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.776 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.777 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 6, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.777 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.777 9243] CNAME www.msn.com
[2020-01-30 16:09:06.777 9243] **** got reply www.msn.com is (CNAME) (ID 6, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.778 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.778 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.778 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 6, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.778 9243] **** got reply a-0003.a-msedge.net is (NODATA) (ID 6, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.778 9243] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 7, FTL 9312, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.779 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.779 9243] **** got cache answer for www.msn.com /  / <unknown> (ID 7, src/dnsmasq/rfc1035.c:1714)
[2020-01-30 16:09:06.779 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 7, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.780 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.780 9243] CNAME www.msn.com
[2020-01-30 16:09:06.780 9243] **** got reply www.msn.com is (CNAME) (ID 7, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.780 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.780 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.781 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 7, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.781 9243] a-0003.a-msedge.net is known as gravity blocked
[2020-01-30 16:09:06.781 9243] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-30 16:09:06.781 9243] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 8, FTL 9313, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.782 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.782 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 8, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.782 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.782 9243] CNAME www.msn.com
[2020-01-30 16:09:06.783 9243] **** got reply www.msn.com is (CNAME) (ID 8, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.783 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.783 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.784 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 8, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.784 9243] **** got reply a-0003.a-msedge.net is (NODATA) (ID 8, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.784 9243] **** new UDP query[A] "www.msn.com" from 192.168.2.228 (ID 9, FTL 9314, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.785 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.785 9243] **** got cache answer for www.msn.com /  / <unknown> (ID 9, src/dnsmasq/rfc1035.c:1714)
[2020-01-30 16:09:06.785 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 9, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.785 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.785 9243] CNAME www.msn.com
[2020-01-30 16:09:06.786 9243] **** got reply www.msn.com is (CNAME) (ID 9, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.786 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.786 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.786 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 9, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.786 9243] a-0003.a-msedge.net is known as gravity blocked
[2020-01-30 16:09:06.786 9243] CNAME www-msn-com.a-0003.a-msedge.net ---> a-0003.a-msedge.net
[2020-01-30 16:09:06.787 9243] **** new UDP query[AAAA] "www.msn.com" from 192.168.2.228 (ID 10, FTL 9315, src/dnsmasq/forward.c:1571)
[2020-01-30 16:09:06.787 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.787 9243] **** forwarded www.msn.com to fdaa:bbcc:ddee:2::5552 (ID 10, src/dnsmasq/forward.c:566)
[2020-01-30 16:09:06.788 9243] www.msn.com is known as not to be blocked
[2020-01-30 16:09:06.788 9243] CNAME www.msn.com
[2020-01-30 16:09:06.788 9243] **** got reply www.msn.com is (CNAME) (ID 10, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.789 9243] www-msn-com.a-0003.a-msedge.net is known as not to be blocked
[2020-01-30 16:09:06.789 9243] CNAME www.msn.com ---> www-msn-com.a-0003.a-msedge.net
[2020-01-30 16:09:06.789 9243] **** got reply www-msn-com.a-0003.a-msedge.net is (CNAME) (ID 10, src/dnsmasq/cache.c:487)
[2020-01-30 16:09:06.789 9243] **** got reply a-0003.a-msedge.net is (NODATA) (ID 10, src/dnsmasq/cache.c:487)

system has been up and running for a few hours now. suddenly things appear to work, I haven't changed anything.

Browser caching issue. Please don't forget to clear the cache when updating web stuff. The previously displayed Unknown (9) was due to old, cached Javascript code that was not yet aware of the new CNAME blocking modes.