In order to get better insight in to what is going on, add a list Top Blocked CNAMES to the Dashboard and Long Term Data / Top Lists.
I want to see the list of domain names queried, that did NOT trigger pihole v4.3.2 to block the query, but pihole 5 now does block.
The detail that a domain was blocked due to a CNAME path inspection is not stored in the database and lost when FTL looses a query out-of-sight (after 24 hours). There is no space in the database and I do not think it is important enough to change the long-term database format for this. Imagine how long a database upgrade might take on a Zero with millions of queries in the database (one year * dozens of thousands queries each day).
Similarly, a Top Blocked CNAMEs does not seem to make much sense. Not only that FTL would not be able to re-populate this information from the database on startup, I also don't see how this could really matter in any way. A blocked query is a blocked query in the end. You typically want to know what was queries by the device, originally (like telemetry.crappyhardware.co.uk) instead of what was really blocked in the end (x44465.crappyhardware.co.uk).
I'm currently thinking about implementing more details into the Query Log to also show the domain was was causing the decision but for this, I first need to make some fundamental changes in FTL's datastructure (currently, only one domain can be associated with a single query). Let's call is research-in-progress. No promises on a delivery right now.
I'm having trouble identifying queries blocked due to CNAME blocking. Do you mean, if a device is initiating a query for s12fg66.example.com (not in the blocklist) but it's really a CNAME for ads.adsdomain.com (in the blocklist), we will see s12fg66.example.com in the query log?
Yes. Showing both domains, the one requested + the one that was the reason for blocking the query, on the web interface is work-in-progress. It is already possible to follow the inspection in pihole-FTL.log given DEBUG_QUERIES=true in /etc/pihole/pihole-FTL.conf is set.
See
I would suggest to show the domain, when you mouseover.
mouseovers are near impossible on mobile.
Furthermore, there is already the tooltip on mouseover:
use the tooltip text to display the domain, followed by (CNAME) in parentheses. No need to repeat the original domain (blue entry in your screenshot is still visible).