Well, the way to stop unauthorized APs is to use the AP Authorization List feature and code in the mac addresses of all your authorized APs; this will cause the controllers to reject join requests from any AP which isn't on the list.
In the 5.2 release, you might be able to set up the default AP group with no WLANs, and then manually assign your APs to other AP groups with the appropriate WLAN assignments. I haven't played with this feature yet, though.
Alternatively, you could not use the DNS method for provisioning access points. If you use DHCP option 43, you can have more control over which APs get the option template with the controller addresses.