How do you prepare a malicious DLL that will be loaded by the DNS service?

The DLL must export three functions: DnsPluginInitialize, DnsPluginCleanup, and DnsPluginQuery. For example, DnsPluginQuery can execute code like WinExec("calc.exe", SW_SHOWNORMAL). You compile it with a .def file that lists these exports, then place the DLL on a network share accessible by the DNS server, such as \\domain\SYSVOL\scripts.