[zapman449]

Since most clients are supposed to work through a specified resolver rather than run their own, the easy block is to deny port 53 to non approved resolver hosts. Probably a good idea anyway in a secure environment, since it can potentially avoid cache poisoning if DNSSEC is setup right.

[icebraining]

You can use the approved resolver. Just set up a DNS record delegating some subdomain to the fake DNS server, and then any unsuspecting resolver will work for you, sending the request upstream to the authoritative nameserver.