Ok...
I have been sitting on this idea, not wanting to muddy the watters, but.....
How about this....
Use OpenDNS or similar.. This will block the porn etc by name.. (using proxy with dns pointing to OpenDNS)
A handy option would be an option to evaluate entries to see if an IP address is being requested.. IE
http://10.0.0.234/XXXX.aspx
Intercept the IP Address portion, reverse DNS the address and check the name... (allow / disallow failed lookups to pass as an option)..
This would place the load on the lookup portion wich is built on a database system that is designed to do lookup opperations rather than clogging up a router with thousands of entries that must be evaluated one by one...
This should get you well along the way to a clean system...
OpenDNS allows for custom allow / deny lists...
The forward lookup method works prety well, as most coders use URLs and not IPs to referance objects in their site..
This will block most attempts by IP...
Another feature could be adding by (FIFO) a list of denied IPs obtained durring the IP checking process.
IE an address is entered in the URL, the proxy looks it up and finds that it belongs to
http://www.sex.com...
The domain is checked against OpenDNS (forward method / name allow/disallow) and lets say for example that this address is dis allowed.. or allowed as the case may be.
Once this has been established, add the address to a local buffer / list (address list would work)
The next time a request is made by IP, the local lists can be checked before the "round trip" is made to the name servers..
This will save time.. (like a cache).. then eather age the entry out by time or by FIFO based on cache size..
Nothing will "get them all" but I think this will get very close !!!
Craig