Seems that CloudFlare has upped the ante; now "dns.cloudflare.com" shares the same IPs as "cdnjs.cloudflare.com"; thus blocking one by IP effectively blocks the other. And since the service I'm trying to block is on HTTPS, a block by IP will no longer work. I'll have to insert a layer 7 proxy to filter requests, just like with the Google endpoints.

Here's hoping my network doesn't get sacked with malware or some other nefarious actors bypassing my local DNS resolver before I can get an appropriate implementation in place.