I assume the quick fix to that is to run your own local DNS server(s) and block DNS at the firewall for any local IP/MAC address except that of the server. That forces everyone on your network to use your local DNS rather than use Google or OpenDNS. An exploit that was good enough to be able to spoof the DNS IP/MAC might still get around it. It also assumes that the local DNS won't forward incomprehensible packets on the basis that it wouldn't know where to send them.