Are your client's Windows based? You could configure a policy push upon handshake to modify the adapters on each client to not register their connection with DNS. That should stop the leak.