Well - Like I said, the effectiveness of this will also depend on you getting things like "ultrasurf" off your network.
I did have a little conversation with some very smart people on that subject here:
http://forum.pfsense.org/index.php/topic,64432.msg349171.html#msg349171
Pay special attention to one post by phil.davis and how he handles port 53 with this solution.
Basically, you want to only allow access to port 53 to your pfsense box and the DNS servers at dyndns from the LAN.
You can set up your DYNdns filters at https://account.dyn.com/labs/dyn-internet-guide/ (log in to dyndns first)
Then click defense plan or default defense. Modify it to block whatever you need blocked in the office)
You will need to also set up your dynamic DNS service in pfsense so that dyndns always knows your network's IP.
Then follow instruction I gave in the thread above.