Unfortunately, there is no official API for these settings.
You can see and modify it with the generic-object API.
Once you have the UID of your threat profile, you can see the settings as follows:

[Expert@MGMT:0]# mgmt_cli -r true --format json show generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e | jq '.malwareDnsTrapSettings'
{
  "objId": "292e317a-88a8-4e74-a33f-0e20d871e5cd",
  "checkPointObjId": null,
  "domainsPreset": null,
  "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",
  "resolveIpv4RequestsTo": true,
  "specificIpaddr": "5.5.5.5",
  "ipv4ModeSelection": "SPECIFIED_IP",
  "folderPath": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
  "text": null,
  "folder": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
  "is_owned": false,
  "ownedName": ""
}

To change the IP of the DNS trap:

[Expert@MGMT:0]# mgmt_cli -r true set generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e malwareDnsTrapSettings.specificIpaddr "6.6.6.6"

Of course, now that I've read the question again, I realize this wasn't the question you asked.
However, because I did go to some effort to figure this out, I'm leaving the answer here in case anyone else wants to know.

It turns out, the objects that show up in the "Internal DNS Servers" part of the profile is not set in the profile anywhere.
It is a flag that is set in those specific host objects.
Which would mean querying all the host objects to see which ones have the flag set (dns-server true).
Haven't worked out the exact syntax to accomplish this with jq, but I assume it can be done.

To turn an existing host object into a DNS server (and thus show up on this tab):

[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server true

Making something not a DNS server (and thus disappear from this tab) would be:

[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server false

Hope that helps.