I will be the first to admit I know enough to be dangerous with DNS but not enough to know how to configure UCS DNS to return a negative answer for two icloud.com hosts for the upcoming Private Relay feature in MacOS Monterey.
The above doc says I have to return a negative answer for mask.icloud.com and mask-h2.icloud.com if I want to block it which I am required to do as a K12 school for internet filtering. If I setup icloud.com as a domain how would I just return negative answers (NXDOMAIN or NODATA) for just these two hosts? Do I have to add all other hosts except these two? Seems like a ton of work that way.