We have observed some unexpected behavior on our DNS server. Looking at the logs it appears to be sending a DNS query to a remote server that is not listed a forwarder in its configuration. The IP and domain lookup in question appear to be related to malware and they are being blocked, but I cannot figure out why the DNS server is attempting to perform this lookup against this particular server. We do not believe the DNS server is infected, perhaps a client on the network.
Can anyone offer some advice please?