Tunneling DNS through SSH has downsides though... performance impact. DNS was conceived as a UDP based protocol for a reason: to make it lightweight and fast.
Yes you could tunnel DNS via various methods but that's not really the point. You can tunnel just about any traffic if you know how and have the time and resources to set it up.
Fact is, blocking all UDP 53 traffic at firewall level and then only allowing UDP 53 traffic to your desired DNS servers (e.g. OpenDNS, Google DNS, etc) is a decent solution.
The main reason for doing this is so that if a PC inside the network gets infected with malware. That malware can't then change the PC's DNS servers to something else. It is very common that this happens with malware nowadays. As it allows the malware authors to capture your surfing habits and poison your DNS i.e. for blocking access to Windows Updates and AV update servers. Some malware are advanced to capture passwords through logon attempts to popular sites via DNS poisoning.