So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.
I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.
iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable
ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable
You'll also need to save the rules with the following commands.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.
So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.