This should go without saying, considering the big yellow exclamation mark next to the setting in Windows Server DNS, but do not allow nonsecure DNS updates on any zone even closely resembling production.
"Allowing nonsecure dynamic updates is a significant security vulnerability because updates can be accepted from untrusted sources."
Any network device can update/add/delete DNS records in the zone, merely by sending a single UDP datagram. This can easily be tested using BIND's 'nsupdate'. Could be scripted with a little digging and 'netcat'. Don't see a Metasploit module for this, and this isn't even low-hanging fruit -- this is fruit that falls into your hand.
BIND download, including binary for Windows.
From *any* attached network device (no authentication credentials of any type needed):
Note that you can delete records, as well (update delete ...). Or just randomly generate a million records of whatever type suits your fancy.
Change nonsecure zones to "None" or "Secure Only." To quickly audit Active Directory DNS zones, use this Powershell script: