We have a similar setup but don't need to change the DNS on the WAN port. We just make sure their DHCP goes to either OpenDNS or our local DNS server and it has forwarders setup to OpenDNS. Even if you could change the WAN DNS it wouldn't stop someone from statically setting their computers DNS to a public DNS. The only way to prevent that is to block all DNS queries via firewall to anything except OpenDNS.
Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.