I want to identify when multiple queries arises from same IP address, then I want to analyze which one is legal /illegal that makes traffic over the DNS.
You have to specify which traffic is leagal/normal and which is abnormal/malicious. You specify it as your security policy. Then if any request violate that policy then that is malicious. otherwise normal.
You also create a dataset which specify which is normal and abnormal. then use any classifier or clustering techniques to distinguish normal and abnormal activities.
If you can't specify the normality of the query in advance, one way to generate that data set is by performing traffic behavior profiling (see the literature) to detect a pattern of the legality of the queries. Typically, illegal traffic behavior tend to show some patterns that are different than the legal ones such as; query time or periodicity of the queries, etc.