The DNS server is only one thing you tell the domain, the other is the certificate authority. And those publish all issued certificates as part of certificate transparency. https://en.m.wikipedia.org/wiki/Certificate_Transparency
To mitigate the amount of published information, you can request wildcard certs to keep the subdomains private.
You can also use a wildcard cname entry to capture all subdomains and leave out the pihole faff, given that you use a reverse proxy that forwards to respective services by subdomain.
There are also static export plugins for wordpress. One needs to get rid of comment boxes and such as they don’t work then of course. But if all content is already in WordPress, serving just the static export is a low friction solution.