I'm not sure I like this approach. This would probably cause a lot of problems for people that insist on running their own name resolver (e.g. Unbound), right?
It would also block any services that connect directly to an IP address, use hosts file to resolve, or use external DNS servers (eg, Google devices using 8.8.8.8 directly).
Most likely anyone deploying this is also capable of redirecting all standard dns traffic destined for external DNS servers to this resolver instead.
The use of host files and direct connections to external IP addresses based upon ip address are rare among user workstations. Any legitimate need to connect directly via IP address could be handled by exception.