First, you have to force all DNS requests (port 53 UDP and TCP) to pass through your own resolve (for example, a DNS server that performs recursive queries), since nothing configure a different DNS on the machine itself. By directing all requests to your server, you will have a greater ability to do the blocking. For this, iptables
resolves well (redirecting everything that is port 53, regardless of name or IP).
Eg the user places the server 208.67.222.222 (OpenDNS) as DNS on the client machine, but its routes redirect any access to port 53 to its own server, not allowing the request to leave the internal network. As soon as any user enters www.facebook.com, your server is going to be queried (remembering that you have m.facebook.com, plus a number of things that can be filtered).
After this, you need to configure your own DNS server, as in the example given by bfavaretto, or customizing the DNS configuration installed on the server according to the documentation.
Even though someone could run a local DNS server, they would make an external request on a port other than the 53, escaping the lock (rarely happens, but you should know the risk). Or simply by the desired IPs in the file hosts
of the machine itself.
If it is for use in companies, often the solution is to put in the contract of employment of employees the prohibition, and a clause giving notice that there is remote monitoring of the screens, and the first that "slip" a written warning . This way you will avoid a lot of "infiltrable" problems more effectively, including undue personal use of the machines, and avoiding a claim of privacy invasion by the employee (provided he is fully aware of the monitoring).