If you want to enforce a set of DNS servers I think it's much more elegant to use a simple NAT rule to redirect any DNS traffic to the DNS server of your choice, which might be the ruter itself so it will use whatever DNS servers you have configered on the router. The advantage of this is that DNS queries always gives an answer, and an answer from your preferred DNS servers, instead of just dropping the traffic.
I'm using this to enforce OpenDNS for a spesific user groups, and to prevent some devices from using public DNS servers. Works very well and is fully transparent.
I could not do the same by using firewall rules, but of course I could just block the traffic in the firewall, but in my case that is not what I want to do.
