Typically in any organizations, there is an internal DNS server used for all internal hosts. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies.
Whitelist the public DNS servers, such as Google and OpenDNS
MITRE ATT&CK Tactics
Command and Control
Firewall Traffic Logs
Valid software, which uses DNS for transferring data.
Review internal system and identify any suspicious applications or processes running on it. Perform a full AV/AM scan on the targeted machine.
For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server. Additional review of the DNS servers events may be required to identified the source machine generating the high volume of DNS traffic.