please see attachment.
what’s the problem?
It’s not a problem as such. Some client is requesting those records, and DNS is unable to resolve them. The most likely cause for the client requesting the records is that it is infected with malware and is part of a botnet, and is trying to contact a control server.
How to detect and block infected machines ?
Realistically you can’t. You’d have to detect requests to known c&c DNS names via layer 7 inspection and add request sources to address lists, and filter based on that. You’d constantly have to update the lists of known destinations. Just blocking all clients that request unresolvable resources could lead to false positives and you blocking legitimate traffic.
Unless you truly understand how to do that you’re probably going to cause more problems trying to fix it.
You can buy firewall appliance that do this for you, with subscriptions so you can download updated signatures and lists.