I don't tunnel HTTP/HTTPS requests to doubleclick.net at all to begin with (I use a whitelist for HTTP/HTTS), but if someone were to do too many DNS requests for the same domain in a short period of time I drop those requests as it means the Source IP I'm seeing is actually the IP of the victim of a DNS Amplification attack and sending them the response would make me a participant in that attack.