08-17-2016 06:58 AM
If you reslove the URLs in those DNS queries you will get IPs of C&C servers.
The original source of the infection will not be so easy to find.
For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection or USB stick you won't find much info on firewall.
