My DNS just has blackhole entries for the root domains
Don't forget to block those nice 'free' fonts from google as well...
or as it's stored in my blackhole list:-
The powershell script is from https://cyber-defense.sans.org/blog/2010/08/31/windows-dns-server-blackhole-blacklist/
I've been using it since early 2011, needed a few tweaks to prevent unintended blocks (youtube etc.) and there are curated lists available of advertising / malware domains (same thing really) to get you started.
To pre-empt the expected 'what about usage on public connections' question - simple, no personal details are used or stored on devices used outside of our control, personal devices are on a separate vLAN to work devices and all devices used in public are either hobbled to prevent use outside of their intended work purpose (no browser etc.) or only connect to our own 'walled garden' via VPN.