Couldn't that be done later, by blocking the actual HTTP TCP connections instead of blocking the DNS requests? Maybe it's an efficiency issue, that they want the higher-efficiency blocking by DNS rather than lower-efficiency blocking during HTTP TCP, but that seems a little strange to me.