Securing DNS by blocking querys AND responses [Dnscrypt questions]

Visiting facebook.com you will query s.update.fbsbx.com. s.update.fbsbx.com is a CNAME to s.agentanalytics.com. Currently, the only way to block s.agentanalytics.com is to block s.update.fbsbx.com via hosts. Windows DNS client, and even wildcard blocking resolvers such as Dnscrypt do not have the ability to block parent domains of CNAME replies.

13:19:30 dnsmasq[1211]: query[A] s.update.fbsbx.com from 192.168.50.142 13:19:30 dnsmasq[1211]: forwarded s.update.fbsbx.com to 127.0.0.1 13:19:30 dnsmasq[1211]: reply s.update.fbsbx.com is <CNAME> 13:19:30 dnsmasq[1211]: reply s.agentanalytics.com is <CNAME> 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.20.233.11 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.170.177.215 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.235.44.232 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.194.252.192 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.130.128 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.202.107.183 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.209.97.44 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.173.82.169 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 23.22.178.204 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.103.1 

Sometimes there may be multiple CNAMES that reveal their actual hidden associations in replies, example:

13:55:28 dnsmasq[26607]: query[A] su.itunes.apple.com from 192.168.50.96 13:55:28 dnsmasq[26607]: forwarded su.itunes.apple.com to 127.0.0.1  13:55:29 dnsmasq[26607]: reply su.itunes.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply su-cdn.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su-applak.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su.itunes.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e673.dsce9.akamaiedge.net is 184.50.162.217  13:55:29 dnsmasq[26607]: query[A] xp.apple.com from 192.168.50.96 13:55:29 dnsmasq[26607]: forwarded xp.apple.com to 127.0.0.1 13:55:29 dnsmasq[26607]: reply xp.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e17437.dscb.akamaiedge.net is 23.214.192.96 

DNSCRYPT allows wildcard blocking of outgoing domain queries for example [analytics] but it will not block incoming responses nor the caching of s.agentanalytics.com ips. Or for example, if one blocks s.agentanalytics.com in windows hosts, or dnscrypt, it will still be accessible via s.update.fbsbx.com. I showed dnscrypt’s coder how this analytics domain bypasses his wildcard protections, and he told me “These entries are not within the parent zone and are ignored by all stub resolvers.” And here he goes into more detail

Is this incorrect?

If these IP’s are ignored by the stub resolver [that includes windows DNS client] as he previously claimed, why are they cached to begin with? are these IP’s potentially usable by a state party/MITM? as suggested here? I saw s.update.fbsbx.com in Umatrix, what ip then would it be associated with except s.agentanalytics.com ip addresses?

If he is incorrect, if DNSCRYPT wildcard blocks refused caching these ip responses one could better secure their networks.

Here is another example, of 21 queries occur when an Iphone immediately connects to WIFI, responses include 72 domains & IP’s that are not in the parent domain. He is saying this is all ignored.

Here, https://pastebin.com/GYSEw1dY