However, not all DNS servers, will perform this validation on behalf of their clients (or the clients may be configured to use the wrong resolvers).
Using FAUCET with some NFV, though, you can force clients to use a validating DNS server.
First, you'll need to provide an NFV'd DNS server that performs validation. There is a guide for BIND - it boils down to a couple of extra configuration settings.
Then, you'll need to configure FAUCET to intercept DNS requests, and output them to the NFV port where the DNS server is. Here is a FAUCET config snippet that does that:
In this example, we force DNS requests, UDP and TCP, to go out port 1, VLAN 2001, which is where the NFV'd DNS server is running.