I got request form IT Security team to block DNS query malware in DNS Service.

They guide me with follow this link.

https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries 

ex: Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicy” -Action IGNORE -FQDN “EQ,*.onion” -PassThru

Unfortunately, this PowerShell command works only Windows server 2016 or greater.

For previous versions read those articles:

https://superuser.com/questions/458590/how-to-setup-a-dns-blacklist-whitelist-on-windows-server-2008-r2

https://serverfault.com/questions/513777/prevent-dns-responses-for-specific-domain-completely

third-party DNS firewall:

https://softati.com/download/dns-firewall/