You're going to most likely use the count function to track the occurrence rate of these types of messages over time.
You probably should pre-filter the types of messages you want to track (i.e. dns.answers.type:"Malware" and dns.answers.type:"whatever else" and ... ) and save that filter as a Saved Search (in Kibana). Then, use that saved search as the basis for your ML job (instead of every document in the index).
Probably a multi-metric job - again, using count ("Count(Event rate)") as the thing you track, and choose dns.answers.type as the "split field".
There are more advanced ML techniques that can be employed on DNS data (including DNS Tunnelling/Exfiltration detection, etc.). Look at the same jobs within the SIEM app and other examples on this forum (like this one: Security Analytics Recipes - DNS Data Exfiltration)