A number of options are available for protecting the DNS server, including :
DNS cache locking
DNS socket pool DNSSEC DNS Cache Locking Cache locking is a Windows Server 2012 R2 security feature that allows you to co ntrol when information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it caches the results so that it can respond quickl y if it receives another query requesting the same information. The period of ti me the DNS server keeps information in its cache is determined by the Time to Li ve (TTL) value for a resource record. DNS Socket Pool The DNS socket pool enables a DNS server to use source port randomization when i t issues DNS queries. When the DNS service starts, the server chooses a source p ort from a pool of sockets that are available for issuing queries. Instead of us ing a predicable source port, the DNS server uses a random port number that it s elects from the DNS socket pool. The DNS socket pool makes cache-tampering attac ks more difficult because a malicious user must correctly guess both the source port of a DNS query and a random transaction ID to successfully run the attack. The DNS socket pool is enabled by default in Windows Server 2012 R2. DNSSEC DNSSEC enables a DNS zone and all records in the zone to be signed cryptographic ally so that client computers can validate the DNS response. DNS is often subject to various attacks, such as spoofing and cache-tampering. DNSSEC helps protect against these threats and provides a more secure DNS infras tructure.