Comment by itake

My employer uses Zscaler. I don't know exactly how they implement this, but my educated guess is the corporate DNS server doesn't resolve domains that were created recently.

In technical terms, the device asks the private corporate DNS server for the IP address of the hostname. The private DNS server checks the requested domain against a threat intelligence feed that tracks domain registration dates (and security risks). If the domain is deemed a threat, either return an IP address which points at a server that shows a warning message (if http traffic) or return an invalid IP (0.0.0.0).