Thanks. That helped me to find it.
The DHCP server on my internal network gives the clients the Active Directory controllers for DNS, and they in turn point to the ERL. A ruleset on my UTM ensures that only the ADCs can get out on port 53, and they can only talk to the ERL.
My guest network (another interface on the UTM) gets DHCP from the UTM and it points the clients to the ERL.
The ERL resolves to OpenDNS.
The part I couldn't remember was that I used a DNAT on the ERL as an enforcement mechanism. It translates any port 53 traffic received on the ERL's inside interface back to the inside IP of the router, where it gets picked up and resolved against the defined resolvers aka OpenDNS. It seems to work OK in testing. Here's the configure.
Thanks again.
rule 5 {
description dnat_dns_force
destination {
port 53
}
inbound-interface eth1.65
inside-address {
address 192.168.65.250
}
log disable
protocol tcp_udp
type destination
}