Upward Referral Responses from Authoritative DNS Servers
One of the widely debated behaviour of an authoritative name servers is the nature of the response it sends back when asked for a FQDN for which it is non-authoritative. Till 2012R2 Windows DNS servers, which have recursion disabled on them have responded back with a upward referral response with a list of root name servers in the additional section. This behaviour can be exploited by attackers who can send random queries to the DNS server and get an amplified response in return. This amplification could have been even more pronounced with the added support for IPv6 root hints in the Windows DNS server 2016. This made the servers more vulnerable to be exploited by attackers to orchestrate a DNS amplification attack on victim networks. Also such referrals were found to be having negligible use as the resolvers are already aware of the root servers and most of the modern resolvers ignore these responses as they are out of bailiwick.
In Windows Server 2016, the authoritative DNS servers, which have recursion disabled, will by default not respond back with such upward referrals. The DNS server will instead respond back with SERV_FAIL.
In the earlier versions of Windows DNS server (2012R2 and before), the admins can prevent this amplification on the purely authoritative servers by removing the root hints file. This can be done by stopping the Windows DNS service, deleting the cache.dns file at ~\system32\DNS and restarting the service.
Apart from this, in Windows Server 2016, Windows DNS server provides Response Rate Limiting capability that helps prevent the DNS amplification attack. It also provides selective recursion control for clients and ability to filter resolution of malicious domains which help fortify the DNS systems.