As Ed Fries suggests, the DNS solutions is:

1. Set up a (or two) DNS server(s) with either forwarding or the root hints zone, which will make it return non-authoritative answers for all domains on the internet.
2. Set your clients to use this/these DNS servers, by configuring your DHCP server appropriately (or manually on the client).
3. Optionally block 53/udp outbound on your firewall, to prevent clients on your network from using another DNS server.
4. Create an authoritative zone on your DNS server for the domains you want to block, and optionally create A/CNAME etc records for them. Doing this will prevent your DNS server from forwarding the request on and getting the real answer, as it thinks it is authoritative.

There are ways around this:

• If you don't do step 3, clients can simply use a public DNS server (eg, Google provides public DNS)
• People can use a VPN/proxy to get past it
• For some sites, they'll be able to type in the IP (if they know it) and get to the site anyways, no configuration changes needed.

There are other ways to block sites (block the IP at the firewall, for example) that may be a bit more reliable/less work, though for almost everything there is a way around it if your users are savvy enough.

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any 

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.