These DNS queries are matching IPS attack signatures and being flagged as malicious traffic.
In most cases DNS queries are triggered by user request so check the proxy access log to verify.
In this specific case, it is triggered by the ProxySG.
The customer has recently ran a script that sends "test-url" commands to the proxy to check content-filter category for each URL.
ProxySG#(config content-filter)test-url <URL>
This will trigger DNS queries for those URLs.
It also explains why those URLs are not found in the access log because "test-url" is an internal proxy function.