There seem to be a few DNS proxies out there but all seemed aimed
at doing proxy+cache without being seemingly easy to control what
is accepted or denied.  Plus none of them work with rdr rules in
ipnat.  And I got tired of bind being so big and hard to make work
and I didn't want to dabble with the other main alternative (there
would be more work trying to get it architected right to do the
transparent stuff, I'm sure.)

So this was my weekend project.  Oh, it does no caching (yet.)
There are man pages in the .tgz.

http://coombs.anu.edu.au/~avalon/dns-proxy.tgz

Configuration goes something like this:

port fred 192.168.1.1 5053 transparent;
forwarders { 2.2.2.1, 2.2.2.3; };
acl all port fred { block *.xxx;};
acl all port fred { allow .cnn.com; reject cnn.com; };

To be used with rules like:
rdr fxp0 0/0 port 53 -> 192.168.1.1 port 5053 udp

Also, seperate to this, there will be a dns proxy in
IPfilter 5 that allows similar things to be done.
That can be used on the outbound side of a firewall
hosting named with map rules :)

Darren