someone correct me but
If a webpage has a link to https://deviouscname.firstparty.tld and that is actually a CNAME for adserver.devious.tld, won't my system make 2 dns reqeusts: the first for deviouscname.firstparty.tld which returns adserver.devious.tld, and a 2nd that resolves adserver.devious.tld to 8.8.9.9, which will be blocked because of 1) devious.tld or 8.8.0.0/16?