Bonjour :-).
I have implemented functionality like the one you need, only in a slightly different manner; it's commercially-used, as part of a networking appliance currently sold by a well-known security company (I have a confidentiality agreement with them, so I cannot offer too many details, but if you have a look at my CV, you can figure out what device and what company I'm talking about; it sort of starts with B and ends with itdefender...).
I have a few suggestions/questions:
1. What amount of traffic are we talking about here?
2. Do you need any kind of pre-query authentication (i.e. have users send subscription data first, so that you don't serve to users who aren't yours)?
3. Are you sure the method you want to use is the one you are looking after? It *does not* handle client-side DNS caching correctly! I chose a different (if more complicated) solution the last time I did this, through a transparent web proxy. Of course, we also needed other features (such as *specific* content blocking), but DNS caching on the client side was one reason why we didn't follow this route.
4. What you describe in the document is essentially a DNS proxy; are you convinced you don't need that kind of functionality added into BIND? BIND is open source; its source code is pretty messy so it may take a little longer, but it is possible to add a pre-caching layer to it. Is it a route you explored?
Best regards,
Alexandru