This certainly could be done by only allowing outgoing traffic to addresses that have been in the results of a recent DNS lookup (so your DNS server tells your firewall about client lookups). I don't know whether any off-the-shelf solution can do that though.

You could also require all traffic to go through a MITM proxy so you can inspect it, though that wouldn't work so well for guests.