In Windows Server 2016 we can secure DNS traffic using DNSSEC and DNS policies. DNSSEC allows a client to validate DNS responses, as by default DNS was not designed to be a secure protocol. DNSSEC allows a client to confirm that the information which has been returned from a DNS server has actually come from the correct and trusted DNS server without modification.
DNSSEC, which stands for Domain Name System Security Extensions, was added to help secure the existing DNS protocol. This guide will walk you through configuring DNSSEC in a Windows Server 2016 environment.