You’d have to set up two firewall rules: One on your input chain to allow traffic to your.zs.ip.addr/32:53 and one on your forwarding chain to deny traffic to 0.0.0.0/0:53. And then tell your users that using external DNS is against your terms of use.
That won’t stop people from trying to use external DNS on nonstandard ports, assuming they’re running a resolver that supports it. I wonder if there’s a Layer 7 filter for DNS.
—