Doing so at the dns layer is a much better option, as it prevents the end user or malware from bypassing those restrictions with a non-standard browser or modifying the client settings (which shouldn't happen, but can).
In an enterprise environment, which is exactly what this is aimed at, that kind of protection is a boon against the random shit end users click on.