I do not understand how I could have any queries answered by dns.google. I have all queries forwarded to 127.0.0.1#5053 to be answered by DoH via cloudflared (hence the localhost entries). I have not seen this on the V4 install I have.
I can do a full bug report if necessary.
Debug token?
And what is in your /etc/pihole/setupVars.conf?
In addition, it might also be worth to check your /etc/resolv.conf and /etc/hosts for any occurences of your offenders.
By the way:
Then usg might be just as suspicious as dns.google .
No that is my DHCP server (Ubiqiti USG).
Will do, just was not sure if I'd missed something.
https://tricorder.pi-hole.net/7km0o8n6bl
BLOCKING_ENABLED=true
PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=192.168.7.27/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=false
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
WEBPASSWORD=f8e9bc952787bbdc879cb28cd953b7d3534d9e77fe916e4b9565590c9e0adc7e
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=127.0.0.1#5053
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
CONDITIONAL_FORWARDING=true
CONDITIONAL_FORWARDING_IP=192.168.7.25
CONDITIONAL_FORWARDING_DOMAIN=local
CONDITIONAL_FORWARDING_REVERSE=7.168.192.in-addr.arpa
Could be the culprit.
root@DietPi:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.7.25
Or the volume is very low and you are seeing something from the debugger since that queries 8.8.8.8. Have you run the debugger more than just this one time for the token?
Might look at changing that to use the selected upstream instead of 8.8.8.8?
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[ā] secure-drm.imrworldwide.com is 192.168.7.27 via localhost (127.0.0.1)
[ā] secure-drm.imrworldwide.com is 192.168.7.27 via Pi-hole (192.168.7.27)
[ā] doubleclick.com is 216.58.198.174 via a remote, public DNS server (8.8.8.8)
Once previously the other day. Clicking on the chart legend, did show more recent entries than that.
I don't know what that means - this was as per the installer AFAIK.
It appears to me that, if I click on the
I get a filtered list of those queries, but it is unclear to me if that is the case.
dns.google?
Run
sqlite3 /etc/pihole/pihole-FTL.db "SELECT * FROM queries WHERE forward = '8.8.8.8' OR forward = '8.8.4.4';"
Note, however, that this is untested as I'm currently traveling and typed this in my phone. It may need some tweaking.
No bother. I'll PM the output - it is significant in my view as all this should have gone through my DoH.
[edit]
Oh and note that is different to the output by clicking on the legend.
There are some queries returned by this SQL command clearly indicating that these queries were sent to 8.8.4.4
Can you run
grep "8.8.4.4" /etc/dnsmasq.conf
grep "8.8.4.4" /etc/dnsmasq.d/*
so we can check if it configured somewhere?
Also, let's see what is in the pihole log:
grep 8.8.4.4 /var/log/pihole.log | tail -n25
All returned nothing.
@DL6ER @jfb we can end the wild goose chase.
I think they were all before I had finished setting up the DoH. Last entry on the SQL query above is yesterday.
Apologies 
You saw the remnants of the prior 24 hours. After you make a change to a new resolver, it takes 24 hours for the dashboard history to scroll off the left and exit the dashboard display. Any google.dns queries made will appear in the dashboard for 24 hours after they were made.