I need to track down what client IP address is making a query of my DNS servers.

Background: I have a NGFW that claims my Linux DNS server has Windows Malware running on it because it is making DNS queries for .ml and .tk domains. Thech support for the firewall says they won't help me track down who is making the query, they can only help if my DNS server is a Microsoft server (really!). I have the debug turned up so I have about 2-3 hours of logs (I am keeping 20 of them).

My trouble is I don't know how to read them to understand who is making what query. Could someone give me some tips on how to read through the "named.run" logs to understand which client is making the questionable queries ?

Thanks in advance!