What defense strategies can prevent this remote DLL loading attack on DNS servers?

Control permissions to prevent credential theft and monitor registry changes at HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\. You can remove the Set Value permission for System users on that registry key, though it may affect normal functions. Enable enhanced DNS logging (e.g., event ID 541 for DLL additions) and audit DNS service start/stop (event IDs 2 and 4). For related credential protection, see Penetration Technique - Using tscon to Achieve Unauthorized Remote Desktop Login.