I will write about 3 good security features in Windows Server 2016.
1. Response rate limiting
It is a good defense against denial-of-service attacks.
Set-DnsServerResponseRateLimiting -WindowInSec 6 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8
Read more here.
2. DNS socket pool
It uses a random source port when issuing DNS queries. It is enabled by default. Use get-dnsServer to see the pool size.
If you want to increase/decrease the pool size use:
dnscmd /config /socketpoolsize 4000
Restart the DNS server
net stop dns net start dns
3. Cache Locking
It controls when the DNS cache can be updated. -LockingPercent parameter from set-dnsservercache controls that. By default, the cache locking percent value is 100. This means that the DNS server will not overwrite cached entries for the entire duration of the TTL.
set-dnsservercache -lockingPercent 90
More information here.