Seeing that you do not want this for one system, but for all systems on a LAN going to the Internet, the most logical thing is to check in the router.

A, very theoretical, solution then could be that the router resolves all destination IP addresses into hostnames and when the hostnames then are (or end in) a text that is in a blacklist, drop the packet.

IMHO programming the router to ones needs is the key here.