I've seen this before with some clients in our network. The clients had Sophos installed, and the software in some way manipulated DNS requests from the client (I haven't used Sophos myself so I cannot be any more specific). This would be DNS requests for external domains which is why your DC's forward them to external DNS servers. Palo Alto sees the DNS traffic, parses the content, notices the Sophos content and changes the appid from dns to sophos-live-protection. We had a case with TAC about it, and the only solution they suggested was to make an Application Override.
... View more