If these compromised machines are behind a fortigate router and the dns server is in the same subnet, there is no way for the fgt to control internal network traffic - AFAIK the fgt can only control (ie restrict) traffic if it crosses over an interface. So if the DNS server was located on a different subnet (and different interface) you can easily montior DNS request going over that interface (to the DNS server).
That said, you may have better odds at resolving DNS issues from the DNS server side. (e.g. traffic monitoring/logging, root hints info from client stations) - though I suggest limiting the use of DNS logging as it tends to bog down the server. Also the use of WireShark.
Things you could do (in general) off the top of my head:
- limit DNS traffic going out to the Internet to approval DNS servers (e.g. Google DNS) - block all other DNS servers
- If using an internal DNS server - only allow that server's IPs to make outside DNS requests.
- Make use of a app sensors/IPS targeting DNS traffic (like proxying web traffic through port 53)
- Remove (sourced client workstation)l root hints
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C