Since I know nothing about your infrastructure, it is hard for me to make accurate suggestions, but if you are concerned with your DNS traffic and would like to have more visibility into it, you may consider one of the following options:
1. Enable Name Resolution, if not yet enabled, for the logs to get better granular visibility in traffic-to-destination.
2. If your AntiBot blade is not yet enabled, please do so, as it will reduce the possibility of C&C traffic.
3. This one I cannot recommend, as I vaguely recall reading about unexpected bad consequences of designating DCs as Internal DNS Servers, but the option is there and I would welcome the input from Check Point and community as to its current state:
Another thing you may consider doing is subscribing to a third-party DNS filtering service, such as OpenDNS and designating their servers for your upstream lookups.