Hi,
We should deny UDP 68 traffic from a user to any destination. It is simple, if you want to allow a client to get an IP address, allow UDP 67 traffic from the client, if you want to stop the client to Assign/Renew the IP, Deny ( Stop) UDP 68 traffic from the Client.
Hope you got more clarity on this.
Please feel free for any further clarity on this.