First I want to THANK YOU for reply!
DNS trap was not enabled due to.
CP 4800 R77.30 was used for Security Checkup monitoring(gathering logs from client networks).
On R77.30 I have problems with SmartEvent so I extracted logs and have done reports on R80.30 VM.
So, now most "infected" PC are Domain Controllers.
1. Many DNS request are to malicious sites
2.There is no info about Bogus IPs.
There is info about Protection type - DNS Trap/DNS Reputation.
3.However there is another interesting fact - client IP addresses are from DHCP not on DC. And pool is almost exhausted.
So there are constant changes of addresses between host.
So maybe there will be another deeper inspection of client network and further analysis.