Domain Controllers are doing DNS lookups which are showing as ATP Threat alerts and blocking C&C traffic and reporting 'C2/Generic-A'

Yeah, see it now and then.

The ATP actually just matches traffic to well known abuse sources ( including dns lookups / rRNS ) and flags these.

Since the source is your DC, it >should< be safe to ignore this as a false positive for botnet infection.

The real question here is really, who is querying your DC's and is the request from the outside ( reply to well known abuse host ) - then it might be an attempt to poison your DNS.

If you are absolutely sure everything is ok, then you can except for DC in the ATP from warnings.

Yeah, see it now and then.

The ATP actually just matches traffic to well known abuse sources ( including dns lookups / rRNS ) and flags these.

Since the source is your DC, it >should< be safe to ignore this as a false positive for botnet infection.

The real question here is really, who is querying your DC's and is the request from the outside ( reply to well known abuse host ) - then it might be an attempt to poison your DNS.

If you are absolutely sure everything is ok, then you can except for DC in the ATP from warnings.