iCloud Private Relay DNS negative answer

I will be the first to admit I know enough to be dangerous with DNS but not enough to know how to configure UCS DNS to return a negative answer for two icloud.com hosts for the upcoming Private Relay feature in MacOS Monterey.

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/

The above doc says I have to return a negative answer for mask.icloud.com and mask-h2.icloud.com if I want to block it which I am required to do as a K12 school for internet filtering. If I setup icloud.com as a domain how would I just return negative answers (NXDOMAIN or NODATA) for just these two hosts? Do I have to add all other hosts except these two? Seems like a ton of work that way.

I haven’t tried it, but could you make two zones with those names and not have a record for them? I’ve never had to do anything like that, but I think that would work. Someone else may have a more elegant solution.