What are the steps to prevent outside IP addresses (i.e., all but the IPs on my network) from DRDoS/DDoS attacking a Windows Server 2008 R2 server (domain controller, and DNS server)? Only domain clients need to contact the server for DNS requests. Steps I've taken, but apparently do nothing to prevent DRDoS and/or DDoS attacks (or at least, still show some vulnerability):
1. Prevent all but internal IP ranges from contacting the server ("incoming") via UDP & TCP on port 53 in Windows Firewall;
2. Disabling recursion (and forwarding) in the DNS Administrator properties dialog box for the server listed.
Any "go here, click this, select that" type of help would be appreciated; please do not recommend one of many theoretical or generalized sources that abound on the Web; these really haven't helped much. Thanks!