Ping!
I have to speak to this at a management meeting this morning. Here are some of the finer points:
1. This is targeted at Internet-facing DNS servers. The likelihood of an external attack against a NATted private network is very small.
2. Server 2012 Active Directory domain controllers require the installation of DNS during promotion, making DCs particularly vulnerable.
3. If you’re running external resolvers on DCs, shame on you.
4. While Microsoft states there are no mitigating controls, blocking TCP 53 on edge firewalls prevents DNS lookups from getting to your servers.
and... again...
5. See #3
This is, again, much ado about nothing if you’re an enterprise-minded system administrator. I’ve never worked for a company that used Windows for edge DNS resolution. That’s usually handled at the ISP or by GTMs in the DMZ.
How several thousand self-congratulating and thoroughly egotistical software engineers can accidentally build a back door into everything they write is bewildering.