All device level block list don’t Block anything that is state is it is an IP or IP range only domain

I was trying to block, for some of my segments, 8.8.8.8/32 and 8.8.4.4/32 On all device level. However I learned that if I have any allow rules from all devices down to group levels they will override the block. Whether this is in a list or a specific entry. If I were to  Use a domain that represents the same ip Range and this would not  Happen. I perfoemee a  trace route and the difference between the two. Consequently I had to implement this on a group level and I’m wondering why there would be any difference  Is the rate for policy is that it applies to all devices is higher level security then specific network or group in terms of policy routing. I couls attach screen shots (if i knew how:) so you can figure out my highly advanced technical skills :(