When your clients attempt to access resources on the internet by name, these must be resolved to IPs for traffic to be forwarded.
Gateway will query DNS servers configured in its properties to do so.
If your clients and DNS servers are in different networks connected to different interfaces of the gateway, you can identify those that are querying malicious destinations.
If you have a flat network, the origins of the query will be your internal DNS servers.
When you are stating that "DNS query is coming from firewalls IPs", I'd like to know where you re seeing it.
Post the firewall logs replacing your actual public IPs with bogus entries.