What do '_' and '#' represent in query reports?
'_' queries are usually made by Bind9 recursive resolvers. These queries are made in parallel to some other query. So if there is a query for c.b.a.com, Bind9 may query for both c.b.a.com and _.b.a.com. If you have dotted hosts in your zone file, these queries are more common. (A dotted host is one where there is more than one subdomain of the apex. So if a.com is the apex. b.a.com is not a dotted host as it is one subdomain. c.b.a.com is two subdomains of a.com and is therefore a dotted host.)
'#' is a rewrite we do in reporting at UltraDNS. Normally we log every qname (queried name) that gets queried for a zone in its query reports. However, if the rate of query exceeds a threshold for a 60 second period, we will stop recording individual qnames and collect the number of queries under #.[domain.com].
'*' is a literal asterisk and not an indication of queries received for a wildcard record. There is no valid reason to query for this character as part of a domain name.
Are these queries malicious?
'_' is not indicative of malice by itself. However, it can be correlated to malicious activity. If there are compromised bind9 servers that make a high number of queries for many different qnames with many subdomains, the number of _ queries can increase dramatically with a malicious pattern.
'#' often is indicative of malicious scripting.
'*' is never valid but can be the result of misconfiguration or malice. One would look to other sources such as source or volume to try and ascertain if malicious.