You're thinking about this bass-ackwards. For a stable corporate release, use the ESR of Firefox. Don't try blocking things in DNS--for two reasons. First, there are now lots of mobile machines likely to be on the corporate networks (personal laptops, tablets, smartphones), and there's no reason to block them. Second, lots of corporate machines are notebooks, so they are going to be online outside of the LAN, and will autoupdate there. So better to go with a different release path than to try to do this at the firewall.