Attempting to solve a policy problem with a technological solution is futile. What's to stop your employees from using their own resolver that goes directly to the root DNS servers? (You say, "then, we'll just intercept all port 53 traffic".) Fine, then they use an SSH/tor tunnel over some other port that you can't block (say 143 or 443)...
Much better to just monitor and alert abuse/violations and deal with them as appropriate offline, than to start an arms race with technology that you can't win. The same can be said of any network service or protocol. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
