I can see two ways to do this.
1) Rules in your network.
You can redirect any traffic destined for 0.0.0.0/0 port TCP/UDP 53, and from customers subscribing to your filtered service, to the opendns server.
2) Rules in your routers
Set the default policy to drop
Rule 1 - LAN port 1-52 TCP/UDP ACCEPT
Rule 2 - LAN port 54-65535 TCP/UDP ACCEPT
Rule 3 - LAN port 53 TCP/UDP destination ip address x.x.x.x ACCEPT
This would effectively drop everything except non-dns traffic and dns traffic destined for the approved ip address.
We use DHCP so with a bit more thinking i reckon we could do it in a way where all dns traffic destined for outside ip addresses is dropped, but still allow the router itself to dns relay to the dns server addresses defined in the DHCP process, because there are two seperate packets there.
1) A packet comes in from the LAN and if addressed to the router it should be allowed, but if addressed to an outside ip address it should be dropped.
2) The dns service inside the router re-creates a totally new packet which with the router being the source, it should be allowed to still talk to an outside dns server since the new packet never came in the lan port.
The router of course will only relay to the dns server set by dhcp.
There are still two issues
1) customers would be able to access the router and change the firewall rules unless you block access, and they cant use another router
2) VPNs can bypass it
You cant really solve the VPNs but i would probably advise not allowing customer access (we dont) or the better way would be doing it in your network rather than at the customer site.