You see a number of HTTPS connections from Symantec Endpoint Protection (SEP) clients going to IP addresses that resolve to ent-shasta-rrs.symantec.com or shasta-re-healthy.symantec.com, but a whois query shows that they belong to Microsoft.

This traffic is part of the Insight feature of SEP. Symantec uses Microsoft Azure services to handle some of the Insight traffic, so these IP addresses are allocated to Microsoft. This is normal traffic and does not represent any DNS tampering.