A number of options are available for protecting the DNS server, including :

DNS cache locking

DNS socket pool
DNSSEC
DNS Cache Locking
Cache locking is a Windows Server 2012 R2 security feature that allows you to co
ntrol when information in the DNS cache can be overwritten. When a recursive DNS
server responds to a query, it caches the results so that it can respond quickl
y if it receives another query requesting the same information. The period of ti
me the DNS server keeps information in its cache is determined by the Time to Li
ve (TTL) value for a resource record.
DNS Socket Pool
The DNS socket pool enables a DNS server to use source port randomization when i
t issues DNS queries. When the DNS service starts, the server chooses a source p
ort from a pool of sockets that are available for issuing queries. Instead of us
ing a predicable source port, the DNS server uses a random port number that it s
elects from the DNS socket pool. The DNS socket pool makes cache-tampering attac
ks more difficult because a malicious user must correctly guess both the source
port of a DNS query and a random transaction ID to successfully run the attack.
The DNS socket pool is enabled by default in Windows Server 2012 R2.
DNSSEC
DNSSEC enables a DNS zone and all records in the zone to be signed cryptographic
ally
so that client computers can validate the DNS response. DNS is often subject to
various attacks, such as spoofing and cache-tampering.
DNSSEC helps protect against these threats and provides a more secure DNS infras
tructure.