If you want to block it from things you don't trust to have such methods (or always listen to them) you'll have to upgrade to a firewall that can filter outbound connections to IPs the client hasn't received a DNS response for or require use of an explicit HTTP proxy for outbound connectivity.
Just blocking DNS can be a good middle ground for reasonable effectiveness without as much effort.