facebook.com will only block when a browser actually goes to facebook.com. It will not work for www.facebook.com.
*.facebook.com will block when a browser goes to <anything>.facebook.com, but will not work if you just type in facebook.com.
*facebook.com will work for both <anything>.facebook.com and facebook.com, but could also block other *facebook.com websites (if applicable, e.g., www.mcafeefacebook.com).
DNS Blocking only works if the Windows system performs the DNS lookup itself; it does not work when a browser is set to proxy to a server, since the proxy server would do the DNS resolution.