In your firewall:
1. Whitelist destination IPs for destination port 53, workflow denials adding IPs that have reverse DNS entries. (e.g. don't allow access to fly-by night DNS servers)
2. Whitelist source IPs for destination port 53. (E.g. do not allow alternate DNS servers to be used inside your org)
Have your org's DNS servers point to OpenDNS or GoogleDNS -- they do a good job of filtering out the rifraf
You should probably have your proxy choose just one path for the initial connection setup and then after some configurable number of packets start the flow cloning process to the secondary route. You want to make sure that the server has a chance to get whatever house keeping it does at connection setup time completed before you start relying on the magic of TCP to keep the server from going insane. If you mess with the connection too early you are likely going to mess something up in game's connection setup process. If you send the very first SYN packet twice there is a good chance the server will reset the connection. Then you are going to have to start adding TCP protocol logic to your proxy which is going to make it way more complex. You will need to peak at the TCP sequence numbers when deciding what to pass back to your client from the server.
UDP is a simpler protocol and therefore more complicated for you to handle. You won't have a sequence number and you will need to hash the contents of every packet coming from the server and only pass packets back to your client that you haven't seen before. And of course you will need some sort of expiration on the hashes.
Without fully implementing the TCP protocol in your proxy you can expect issues from time to time, particularly when you pause play and a reset might slip in at the TCP protocol level. But you should be able to create something that works most of the time pretty easily.