Hello Rick,
I'm a little confused by your original post, but I'll give it my best show.
It sounds to me that you're concerned that some of the machines in your environment may be using wrong DNS servers for DNS queries and that you think the cause of this may be a machine (or machines) on the network infected with a threat.
Can I ask what information led you to believe this? If it was a report from a security product (or security staff), then does the report list the hostnames or IPs of computers they believe are affected?
If you can get ahold of a machine having this problem, you can run the command ipconfig /all from the Command Prompt and can view the IP addressss of DNS servers being used by that machine. Once you know the IP addresses for the DNS servers (assuming they are on your network), then it should be fairly simple to trace the IP back to a MAC address. And once you know the MAC address, you should be able to locate the physical port on your network.
Hope this helps.
Regards,
James