Implement DNS Blacklist in the DNS Server, not the IPS subsystem.
IPS blocks queries to resolve untrusted host names. This tells the client that the DNS server has failed, not that the query should not be resolved. Consequently, the client immediately re-attempts the query using a different path. The consequences of having no response from all DNS servers will be implementation specific and therefore unpredictable.
Instead, we need UTM to return a non-existent domain result (NXDOMAIN), so the client stops trying to resolve the name at all. This is how Quad9 is described to work. To produce this result, the blacklist has to be moved out of IPS and into the DNS Server.
See the notes at the end of this forum post for detailed information about how one customer has built his own solution to do this using Linux technology.