thanks for the heads up, restarted testing, looks OK
and CNAME logging...
Jul 29 18:15:25 dnsmasq[25804]: query[A] fonts.gstatic.com from 192.168.2.228
Jul 29 18:15:25 dnsmasq[25804]: forwarded fonts.gstatic.com to fdaa:bbcc:ddee:2::5552
Jul 29 18:15:25 dnsmasq[25804]: reply fonts.gstatic.com is <CNAME>
Jul 29 18:15:25 dnsmasq[25804]: reply gstaticadssl.l.google.com is blocked during CNAME inspection
edit
As expected (see earlier), need to allow PTR queries: .*;querytype=PTR
/edit