Their suggestions are excellent.
You can help battle malicious sites by implementing some form of DNS filtering. We recommend Cisco's Umbrella, but there are many such services. Cisco's free version is OpenDNS. It doesn't report or allow customization, but it does filter out known malware off the top.
All of you should minimally be forwarding 100% of your outbound DNS queries that are not resolved inside your district through OpenDNS. All root hints should also be disabled. Absolutely no one should be sending their DNS queries to Google DNS or their ISP's default DNS. Those DNSes don't block malware links. Why would you use a DNS for your district that allows known malware sites to be resolved? It makes no sense.
The FBI is also suggesting you use an Ad Blocker to block malicious ads from showing up in the first place. This is the first time I have seen this commentary but it also makes sense. If I am trapping out basic malware URLs and blocking the ads in the first place, I can dramatically cut down my user's exposure to these threats.
They have a number of other suggestions as well.
You can read their warning here:
If you are not presently doing DNS filtering and need assistance re-pointing your DNS to OpenDNS, give us a call.
-Scott Quimby, CISSP