That's a fair question. Issues with misguided draconian measures tend to be revealed fairly quickly, but I also gradually rolled the policy out to several servers so I could make comparisons. With the AWS block in place, I'm sacrificing a lot less bandwidth to the startup crawler du jour (there appear to be a lot of Google wannabes in the AWS space) and there's a huge reduction in exploit attempts/pentesting against all services. It's true that the vast majority of blocks are for DNS requests, without which the domain can't be resolved, so post-block logging won't reveal the desired target host & service. Nonetheless, it's like I applied a pesticide and there is a noticeable reduction in pests. If the pesticide itself proves to be harmful, I'll adjust the amount/formulation or stop using it altogether.