The browser already has built-in controls to prevent the user from visiting "dangerous" sites, and to say that "browser or DNS or SPI" is mutually exclusive is to ignore the Defense in Depth strategy of using all methods in concert, to ensure that at least one will catch the bad requests.
In Chrome, it's called "Safe Browsing", and it's currently optional, Standard, or Enhanced.
In Chrome, it's called "Safe Browsing", and it's currently optional, Standard, or Enhanced.