To block these sites, I forced all DHCP clients to use my AD Server as the DNS resolver with OpenDNS as my forwarding Internet DNS server. On the FW, I just set port 53 or DNS to only use OpenDNS as only DNS - all other DNS resolvers are blocked (this is on OUTBOUND or LAN). In AD, I create DNS zones such as logmein.com, temaviewer.com, and all the DNS I want to prevent to go out internally, and I resolve them to the IP address of google.com - everytime they try to resolve these sites, they redirect to google.com. If they try to use GoogleDNS or other, it doesn't work either. It was easier to put these DNS hosts in AD than in pfSense - hopefully there is a better option in pf's future.